New Quant Trojan Version Targets Cryptocurrency Wallets

By Riley ThompsonTechnology News

New Quant Trojan Version Can Attack Cryptocurrency Wallets

Security researchers from Forcepoint Security have discovered a new version of the Quant trojan with features that allow it to target cryptocurrency wallets. According to the researchers, it’s not surprising that cybercriminals are focusing on cryptocurrencies, given the rapid rise in Bitcoin’s value this year. At the time of the report, the price of one Bitcoin had reached $12,600.

Quant is being sold on Russian-language hacker forums by a user with the aliases MrRaiX and DamRaiX. The trojan acts as a loader program, featuring geographic targeting as well as the ability to download and execute .exe and .dll files. Last year, Quant was used by attackers to distribute the Locky Zepto and Pony malware.

New Features in the Updated Quant Trojan

Experts report that the updated version of this malware includes several new features. Notably, the trojan now comes with a set of malicious files that are downloaded to the infected device by default:

  • bs.dll.c: This file enables the theft of cryptocurrency.
  • sql.dll.c: This is an SQLite library required for the operation of the third file.
  • zs.dll.c: This file allows the theft of user credentials.

The bs.dll.c file, also known as MBS, is a library that scans the Application Data directory for cryptocurrency wallets, steals any discovered data, and sends it to the attacker’s command-and-control (C&C) server. The trojan specifically targets offline wallets that support Bitcoin, Terracoin, Peercoin, and Primecoin.

The zs.dll.c module, also called Z*Stealer, is designed to steal credentials from applications and the operating system. After scanning, all stolen credentials are sent to the C&C server via an HTTP POST request. Z*Stealer can be used to steal credentials from Wi-Fi networks, the Chrome browser, and email clients like Outlook Express and Thunderbird.

Researchers note that these malicious modules can be purchased separately, but the distributor of Quant may have included them in the loader to justify the relatively high price of the malware—$275.

Stealth Features

The new version of Quant also includes a sleep mode feature to evade detection by antivirus software.

Leave a Reply