A Trojan, dubbed Quant Loader, which appeared on Russian underground hacking forums on September 1st, has already been included in the Locky ransomware and Pony infostealer distribution campaigns.
As said in the advertisements, the Trojan is a new malware dropper, which can be used as a first-stage infection but it is also able to secretly download more sophisticated pieces of malware. It can be purchased by anyone who is interested in it.
Forcepoint Security Company said that even though Quant Loader was first spotted at the very beginning of this month, only 12 days later it was already integrated into two famous distribution chains. Apparently, the criminal gangs behind the notorious Pony infostealer and Locky ransomware (Zepto variant) didn’t waste any time and they are currently deploying it.
The Quant Loader arrives at its destination via spam email messaged with ZIP files attached. Unzipped, the files deliver a Windows Script File (WSF) on the user’s computer, which, when run, downloads the Quant Loader. Then the Trojan, after getting boot persistence, downloads the Locky or Pony threats.
In the underground forum, the Quant Loader`s devs are advertising their product claiming it is a brand new Trojan able to install both DLL and EXE files and escalate user privileges without any “aggressive” techniques.
When purchased, the Trojan also provides its owner an admin panel, which allows them to control what the malware to push on the compromised machine. Also, it give them the opportunity to target computers by geographical location.
The crooks behind the Quant Loader also say that their product is able to limit the number of needed downloads as well as optionally balance downloads across different servers in order to avoid getting flagged and to optimize malware installs.
However, a technical analysis by Forcepoint revealed that Quant Loader is not that new as advertised. As it turns out, the Trojan`s authors have used much of the codebase from the Madness DDoS Trojan to create it. Moreover, some VirusTotal scans even detect Quant Loader under named used for Madness, like “Crugup” and “Pliskal”.
Forcepoint was able to find a connection between these operations, discovering that the Quant Loader`s seller, “MrRaiX” (or also “DamRaiX”), in in fact a member of a larger gang, called “C++ GURU” (also known as “CPPGURU”).
The MrRaiX criminal gang is also selling access to the Madness DDoS Trojan. It can be used to build a DDoS stresser service, the Z*Stealer information-stealing Trojan, and the MBS Bitcoin-mining Trojan. This connection can also be seen through the “copyright” watermark on both Madness and Quant backend panels, which include the name of the gang.