Analysis of New Trojan Reveals That it Might Not be so New

Quant Loader, the Trojan that appeared last month on Russian Underground forums has now been integrated into spam distribution chains that are used to deploy Locky ransomware as well as Pony infostealer.

The virus is being sold openly to anyone, and is being advertised as a malware dropper that can be used in the first stage infection, which is a stealthy download of more advanced malware.

Reports state that the new Trojan appeared on September 1^st. By September 12^th it had already been part of spam campaigns. Currently the hacker behind the Locky ransomware and Pony campaigns have purchased it and are now using it. The spam emails, like any other malicious emails, come with zip files attacked, which when downloaded, unleash the sophisticated, malicious code into the victim’s computer.

The Russian hacking forum advertisements state that the new Trojan is written from scratch, can download both EXE and DLL files, and raise user privileges without any aggressive techniques. It avoids antivirus detection to optimize malware installs. The Trojan can limit the number of needed downloads, and optionally balance downloads across multiple servers.

Forcepoint did a technical analysis and said the Trojan is not as new as the claims, and the codebases seem to have been reused from Madness DDoS Trojan. In fact, VirusTotal scans labeled Quant Loader as “Pliskal” and “Crugup”, also terms for the Madness Trojan.  The analysis also revealed that the group was also selling access to the Madness DDoS Trojan that helped build a DDoS stresser service, and the MBS Bitcoin-mining Trojan.

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.