Attackers Can Now Create Malicious Windows Shortcuts Thanks to the New “Quantum” Builder

The Quantum Lnk Builder

Criminals now have easy access to the ability to generate malicious Windows shortcut (.LNK) files thanks to a brand new malware application that is now available for purchase on cybercrime websites. The malicious application, which goes by the name Quantum Lnk Builder, is equipped with a bypass capability for UAC and Windows SmartScreen as well as numerous payloads per.LNK. It also includes more than 300 icons accessible for use in faking extension filenames. This program is a highly strong constructor since it has the capacity to create.HTA and.ISO payloads, both of which are included in the package.

Quantum Builder
The Quantum Lnk Builder software

The developers make it possible to employ Quantum Builder for a certain amount of time, ranging from one month to two months to six months, or to purchase the program entirely for a one-time payment of €1,500. The prices for these options may be seen on the authors’ website.

A study from Cyble explains that “.LNK” files are shortcuts to other files, directories, or programs. The way the threat actor operates is, that it uses LOLBins [living-off-the-land binaries] to deploy malicious payloads.

According to reports, malware samples that used Quantum Builder in the wild first surfaced on May 24 in the form of seemingly harmless text files (“test.txt.lnk”).

Files labeled “file name.txt.lnk” are hidden by default on Windows, so even if the option to reveal file extensions is turned on, users can only see “file name.txt”. This leaves room for malicious actors to use the.LNK files as a disguise or smokescreen for various types of malicious code.

There are rumored links between Quantum Builder and the North Korean-based Lazarus Group, based on the tool’s source code-level similarities and Lazarus’s method of operation. Researchers note that LNK files may be used by threat actors to deliver additional payloads, suggesting their potential usage in attacks.

As a response to Microsoft’s decision earlier this year to disable Visual Basic for Applications (VBA) macros by default across all of its products, criminal operators have started switching their focus to LNK files and the possibility of using them as a conduit to launch infection chains. According to security specialists, there is a strong likelihood that criminal gangs will employ such files to actively distribute their payload in the not-too-distant future, especially when tools like the new and sophisticated Quantum Builder can conduct a variety of evasive moves and utilize complex anti-analysis techniques are at their disposal.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment