QuantLoader

QuantLoader is a clandestine Trojan that can act in a highly intrusive manner once inside the operating system. It is believed that the threat is distributed using a RIG exploit kit that is deployed using malvertising campaigns. This allows the creator of this malware to drop it onto the targeted computer in a silent manner. Some of the domains used in the campaign include filmsdays[.]top, highqualitywebhelp[.]top, i- yourdoctor[.]top, madicalcareme[.]top, medical-help[.]top, mymedicalcare[.]us, pay-scale[.]us, photosetty[.]us, and photo24[.]top. Once the RIG exploit kit is activated, it should drop two Quant Loader payloads that are identical to the %TEMP% directory. After this, a copy should be executed in the %APPDATA% directory. A malicious .exe file – which is the copy – should be dropped in a folder with a unique ID as its name. The malicious executable is identified as FormBook Trojan, and it should create its own copy in one of the following directories: %APPDATA%, %USERPROFILE%, %TEMP%, %ProgramFiles%, or %CommonProgramFiles%. The copy could be named “mfcgn2pl.exe;” however, a completely different name could be set as well, and that would make it more difficult to delete FormBook manually. Unfortunately, users removing QuantLoader and FormBook are likely to face issues regardless of how they go about it.

Anyone can use FormBook because it functions as a ready-made malware, and anyone interested in it can pay money to use it. According to research, the full-package hosted service can be rented for $29 per week, $59 per month, or $99 per three months. The “Pro” version of the service costs $299. This is why it is impossible to say who uses FormBook once it is downloaded by QuantLoader. It was discovered that the vicious Trojan can be spread using corrupted PDF files, DOC files with malicious macros, and archive files. More experienced users or users running reliable security software should be able to recognize scam and malware right away, but less experienced users whose systems are not guarded could let it in without any hesitation. While, in most cases, the attacks were targeted at systems in the United States, the campaigns using archive files for infection were primarily impacting systems in South Korea.

The observed PDF attacks were using “You have a parcel awaiting pick up,” and “I shared a file with you” subject lines in the email to attract the target’s attention. The spam emails containing the corrupted DOC files with macros – which is used to download malware payload – used the same technique. Some of the subject lines include “NEW ORDER - PO-[number],” “REQUEST FOR QUOTATION/CONTRACT OVERHAUL,” or “URGENT PURCHASE ORDER [number].” If FormBook is distributed using archive files (.ace, .iso, .rar, or .zip), the victims are introduced to misleading messages with these and similar subject lines: “[code] PAYMENT CONFIRMATION,” “Fwd: INQUIRY [number],” or “Re: bgcqatar project.” While these could work on regular users, the malicious FormBook Trojan appears to be targeted at bigger companies and organizations working in aerospace, manufacturing, education, energy, and government areas. Unfortunately, the Trojan is exceptionally intrusive, and it can end up leaking highly sensitive data. This is why this malware must be removed ASAP.

When QuantLoader invades the system and downloads FormBook, various functions are hooked to steal data. According to our researchers, the Trojan can log keystrokes, monitor the clipboard, grab browser and email client passwords, capture screenshots, download and execute files, remove bots, launch commands using ShellExecute, delete browser cookies, download and unpack ZIP archives, shut down the system, and do other things. It even appears that the Trojan can download Zeus Panda, which is a well-known banking Trojan that illegally records banking-related information to enable hacking. Needless to say, this malicious infection is silent at everything that it does, which is part of why it is so dangerous. While there are plenty of infections that work in the same ways, FormBook can be employed by anyone, which means that it could threaten more systems.

It is exceptionally important to delete QuantLoader from the operating system before it manages to execute FormBook, but, of course, if the threat finds its way in, it is unlikely that the victim would be able to stop the execution of the Trojan as well. If this malware stays undetected, highly sensitive information can be recorded and leaked, which is why securing the system is crucial. We suggest you install anti-malware software at once. First of all, it will ensure full-time protection against malware that could try to invade in the future. Second, it will automatically remove QuantLoader and FormBook if these infections have invaded already. If you decide to erase malware manually, remember that names and locations of this malware components can be random, and deleting them manually can be extremely complicated and, to some, impossible.

QuantLoader Removal

1. Launch Windows Explorer by tapping keys Win+E.
2. Enter %APPDATA% into the bar at the top.
3. If a malicious file (e.g., named Cookiescz7x.cmd) exists, right-click and Delete it (note that this file could be stored in a unique folder).
4. Enter %TEMP% into the bar at the top.
5. If a malicious file (e.g., named mfcgn2pl.exe) exists, right-click and Delete it.
6. Check these directories for any malicious files too:
   • %USERPROFILE%
   • %ProgramFiles%
   • %CommonProgramFiles%
7. Launch RUN by tapping Win+R keys and then enter regedit.exe into the dialog box.
8. Move to these paths to check for any malicious keys (if they exist, Delete them immediately):
   • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
   • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
9. Once you eliminate malicious components, perform a full system scan to check if your system is clean.