ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Despite not being the most advanced or stealthy malware downloader on the market right now, the Quant Loader malware dropper is seeing increased activity in recent months.
Security researchers are noticing an uptick in Quant Loader detections, with a constant stream of campaigns getting off the ground on a regular basis.
Quant Loader launched in September 2016
This particular piece of malware was first spotted in September 2016, when a malware developer known as MrRaiX or DamRaiX started selling it on underground Russian-speaking malware forums.
At the time, Quant Loader surprised malware researchers because it entered active distribution chains almost right away, being used in campaigns that infected victims with the Locky ransomware or Pony infostealer.
Quant Loader’s role in all campaigns was to infect victims and gain an initial foothold and then download secondary payloads — which is the typical and primary behavior of a malware dropper.
At the time, security researchers noted Quant Loader’s general lack of sophistication due to its inability to avoid antivirus detection and the lack of a code packing function to disguise is malicious behavior from such products.
Most experts believed the trojan would either die off after other cyber-criminals realized the same thing or Quant Loader would evolve with the addition of new features to improve its stealthiness.
Quant Loader gained little features, but remained in use
More than a year later, the trojan is still going strong, despite adding very few new features.
“Quant Loader wasn’t something very good,” a security researcher known as MalwareHunter told Bleeping Computer. “But anyway, doing a Twitter search shows it’s still active, but most of the time only for dropping miners and Formbook malware… So nothing serious.”
A few days after Bleeping Computer spoke with MalwareHunter about Quant Loader, one of the biggest malware distribution campaigns using Quant Loader was detected yesterday by several security researchers.
This constant use of what appears to be an inferior malware dropper is somewhat amazing, comparing that crooks also have the option of using more featureful and advanced alternatives such as Zbot, Emotet, or Kovter.
Bleeping Computer reached out to Robert Neumann, Senior Security Researcher at Forcepoint Labs, who last week published a report detailing the recent Quant Loader developments.
Neumann noted that the author of Quant Loader had continued to advertise his malware on hacking forums throughout 2017. These ads served as a reminder and easy go-to solution for other malware distributors looking for a plug-in malware dropper.
Under the hood, the trojan gained very little new features, Neumann noted.
“The additions being made to [Quant Loader] are still relatively basic capabilities such as including a lengthy sleep command in an attempt to avoid sandbox environments – an old trick now bypassed by most modern sandboxes – and antivirus detection for a number of products via their registry entries,” Neumann says.
Quant Loader gains two subpar modules
It appears that in order to divert buyer attention from the fact that very few features have been added to Quant Loader in the past year, MrRaiX simply merged two previous malware families he was developing for the past few years into Quant Loader and passed these as new features.
These are the Z*Stealer information-stealing trojan and the MBS Bitcoin-mining trojan. Both were subpar malware strains, which have now become subpar Quant Loader modules.
For example, Z*Stealer can extract data from only 35 apps, a number far inferior to other infostealers, but to be fair, MrRaiX does cover all the basic targets such as major browsers, email, and FTP clients.
On the other hand, MBS is a complete disaster as it can only steal wallet data from only five wallet apps, which is nowhere close to other Bitcoin wallet stealers on the market today.
In reality, MBS can steal data only from four wallet apps, because MultiBit, one of the supported Bitcoin wallets, has shut down for more than a year, something that MrRaiX didn’t even notice.
“It’s not an advanced piece of malware,” Neumann told Bleeping Computer via email last week, “however stating ‘poorly coded’ is probably not the best attribution.”
“It’s just that the developer was not investing their time into coding an additional executable packer or trying to get around already installed AV defenses,” Neumann added.
“The target customers are usually solving AV evasion by buying/renting an executable packer from [an] expert of that domain. We’ve also collected custom packed samples. The compiled code is small (below 30kb) and rather ‘clean,’ without additional bells & whistles. It does not try to look to be much more than what it really is.”
The low price is what keeps Quant Loader alive
Neumann tells Bleeping Computer that Quant Loader’s low price is what helps it gain new users.
“MBS can be bought separately for $100 for a full license and an additional $15 for every update while Z*Stealer would be $100 for a full license with free updates, or $55 for a base license and an additional $15 for every update. This is as compared to a recent advert offering five full Quant licences for $275,” Neumann says, citing a recent Quant Loader ad.
“There is not aggressive advertising of these products,” Neumann says. “Product updates would be posted on a couple of underground forums, so they appear as something being actively maintained. There are also ‘sales’ every now and then when one can get licenses for a discounted price.”
“The considerably low price is definitely appealing,” Neumann adds, pointing out to the primary characteristic that attracts new users to Quant Loader.
“Instead of having a higher price with a bit more functionality this developer just leaves it up to customers to decide whether they want to spend additional money on executable packing (e.g. to create Fully UnDetectable aka FUD malware) or deploying the original binary as is.”
Furthermore, Quant Loader is “easy to use and customize by adding a custom task on the panel and/or disabling the built-in credential stealing features,” which makes it intuitive to use, compared to the overly complicated control panels that some malware families provide.
As it looks right now, Quant Loader is one of those cheap and tiny city cars that fit in small places. They’re useless in most situations, but they get a specific job done.
Quant Loader is not an expansive modular malware strain like Emotet, but when it comes to dropping malware, if it’s combined with a solid malware packer that helps it avoid AV detection, it gets its job done, and that’s what it counts to crooks the most. It’s both bad and good at the same time, similar to those city cars, but it’s still ridiculous when you realize that a malware dropper that can’t evade AVs on its own is so popular on the malware scene. If we take into account that malware distributors don’t use malware unless it’s effective, this also says that most users either don’t use AVs, or most AVs still can’t detect and flag malware hidden behind packed code fast enough.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.