Martedì, Dic 05, 2017

Quantize or capitalize


Robert Neumann Senior Security Researcher

Last year, Forcepoint Security Labs blogged about the Quant Loader – a Trojan downloader previously seen being used to distribute Locky and Pony. 

We recently came across an active Quant loader administration panel hosted on a freshly registered domain which was also hosting a number of additional malware samples. At first glance everything seemed to be business as usual, but once the initial investigation was completed it became evident that some additional ‘features’ had been added...

Three for the Price of One 

Quant is not new or a very novel piece of malware: we covered the basics of it last year when it was first advertised by its creator, MrRaiX, and began to emerge in the wild. However, analysis of the newly obtained samples quickly revealed some differences to the previously documented Quant-based Locky and Pony campaigns. Further, these newest samples all appeared to attempt to download the same payload files from the C2 server after their initial connection. 

Depending on the actual tasks enabled on the Quant server the following files are hosted by default and waiting to be downloaded and executed:

  • bs.dll.c – A cryptocurrency stealer 
  • sql.dll.c – A benign SQLite library upon which ‘zs.dll.c’ depends 
  • zs.dll.c – A credential stealer 

Cryptocurrency Stealing - MBS

BS.DLL.C is a small Borland Delphi based library created for extracting several less-popular cryptocurrency wallets from the victims' computer - besides the perennial number one suspect that is Bitcoin.  

It scans the user's Application Data directory for supported wallets, extracts the information found, and transfers it over to the C2 server. Judging by the actual data on the servers we examined - and presumably due to the fact that some of the more popular currencies are not supported - this functionality does not seem to be particularly fruitful.

The currently supported clients and crypto currencies are: 

  • Bitcoin (BTC) - via MultiBit and Electrum wallets 
  • Terracoin (TRC) 
  • Peercoin/PPCoin (PPC) 
  • Primecoin (XPM)

Note that the company behind the Multibit wallet has been out of business for over a year.

Credential stealing - Z*Stealer 

ZS.DLL.C is another Delphi based library, this time for stealing both OS and application login credentials. As with the cryptocurrency stealer, once the password scan is completed the extracted information is transferred to the C2 by HTTP POST request to a PHP page on the server side. 

Based on data retrieved from the C2 servers, the credential stealing capability seems to be comparatively successful at retrieving data. A range of commonly used applications are supported:

Pidgin IM Thunderbird VNC Sleipnir Browser
Qip 2005 Total Commander WinSCP Torch Browser
Qip 2010 Outlook Express Chrome Remote Desktop (RDP)
Qip Online CuteFTP Firefox Windows Dialler (RAS)
Miranda IM WsFTP Opera Wifi
ICQ SmartFTP Safari  
Psi IM FlashFXP Internet Explorer FileZilla Yandex Browser  
The Bat Outlook Express Amigo Browser  
Yandex Online Windows Live Mail Comodo Browser  

But Wait, There’s More… 

Both of these stealers were already in development (and actively sold on underground forums) by the author when Quant loader was first released. In early 2017 the decision appears to have been made to include them with Quant Loader as part of a package, either to pump up the price or justify it by providing more functionality. 

These two modules are still sold separately: MBS can be bought separately for $100 for a full license and an additional $15 for every update while Z*Stealer would be $100 for a full license with free updates, or $55 for a base license and an additional $15 for every update. This is as compared to a recent advert offering five full Quant licences for $275.

While stealing credentials and various crypto currency wallets are now enabled as the default configuration, the panel still lets users disable the distribution of these modules and/or create additional custom tasks for deploying further malware on the victim machines. 

Quantity over Quality 

Once the components above were analysed we compared the binaries from a number of different C2 servers. 

The result was a bit different from our initial expectation, at least as far as the DLL modules are concerned: while the SQLite library was always consistent - there seems to be little to no practical reason for updating that - we were expecting the MBS and Z*Stealer components to receive more frequent updates, reflecting MrRaiX's activity on the underground forums. 

Comparing the different builds of these modules, meaningful updates appear to only happen once in a long while and typically take the form of slight modifications to the code base every two to eight weeks to appeal to new buyers as something being ‘actively’ developed.  

More effort seems to go into updating the main loader executable. However, the additions being made to this are still relatively basic capabilities such as including a lengthy sleep command in an attempt to avoid sandbox environments – an old trick now bypassed by most modern sandboxes – and antivirus detection for a number of products via their registry entries:  

  • ​Kaspersky Internet Security – HKLM\SOFTWARE\KasperskyLab\LicStrg , kis 
  • Panda Firewall - HKLM\SOFTWARE\Panda Software\Setup , FirewallName 
  • Norton Security - HKLM\SOFTWARE\Classes\Applications\NS.exe , TaskbarGroupIcon 
  • Dr. Web Firewall - HKLM\SYSTEM\ControlSet001\services\DrWebLwf , DisplayName 
  • Bitdefender - HKLM\SOFTWARE\Bitdefender Agent\Install , InstallPath 
  • BullGuard - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\bullguard.exe , Default  

The newer builds are also utilizing a UAC bypass trick by calling ShellExecuteEx with the non- documented 'runas' flag. Under certain UAC settings this would result in the malware running with elevated privileges without bringing up the UAC prompt. This was not present in the sample examined in September 2016 but was introduced shortly after and may be the capability referred-to as 'privilege escalation' in the advertising material.

Protection Statement 

Forcepoint customers are protected against this threat at the following stages of attack: 

  • Stage 5 (Dropper File) - The Quant Loader and associated malware files are prevented from being downloaded. 
  • Stage 6 (Call Home) - Attempts by Quant Loader to contact its C2 servers are blocked. 


These days you don’t have to provide a niche or technologically very capable product on the dark market, just one which fits into the unfortunately ever-expanding market. Quant Loader qualifies under these conditions and shows an example how one with average skills, a bit of desire and willingness to commit updates every few weeks can make money for years while maintaining a limited profile. 

Similarly, the packaging of Quant Loader with the stealer DLLs makes deployment easier for unskilled customers: while the software maintains the ability to drop custom payloads, the vast majority of the attacks we saw did not bother to use this capability.

Targeting cryptocurrency wallets is not a particularly new innovation, and targeting 'offline' wallets is a relatively well-established way of attempting to steal 'coins'. Interestingly, while the stated goal of the Z*Stealer module is more general password theft, this may stand a chance of better returns by stealing user credentials for online wallet providers and exchanges such as and Coinbase. We have previously reported a number of malware families moving to target these services - e.g. the Trickbot banking Trojan expanded its list of targets to include Coinbase in August 2017 and, even further back, Dridex expanding its target list to include a number of Bitcoin-related applications in September 2016. Indeed, the ongoing targeting of cryptocurrency wallets and services is something covered in Forcepoint's 2018 Security Predictions.

This again highlights the ongoing issue of small-scale, amateur cybercrime which has been a recent thread on this blog: all the time an effective campaign can be mounted with minimal effort, it will remain difficult to deter would-be cybercriminals from ‘having a go’.

Indicators of Compromise 

C2 Servers

Quant Loader (SHA256) 


BS.DLL (SHA256) 


ZS.DLL (SHA256) 


About the Author

Robert Neumann

Senior Security Researcher

Robert Neumann is a Senior Security Researcher in Forcepoint X-Labs. He focuses on various short- and long-term research projects, ranging from small scale malicious campaigns through niche malware and file formats to in-depth investigations and threat actor attribution. 
Robert is...