ETDA ThaiCERT
Report
Search
Home > List all groups > Guru Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Guru Spider

NamesGuru Spider (CrowdStrike)
CountryRussia Russia
MotivationFinancial gain
First seen2014
Description(Forcepoint) Quant is not new or a very novel piece of malware: we covered the basics of it last year when it was first advertised by its creator, MrRaiX, and began to emerge in the wild. However, analysis of the newly obtained samples quickly revealed some differences to the previously documented Quant-based Locky and Pony campaigns. Further, these newest samples all appeared to attempt to download the same payload files from the C2 server after their initial connection.
ObservedCountries: Worldwide.
Tools usedMadness PRO DDoS, MBS BTC Stealer, MKL Pro Keylogger, Quant Loader, Z*Stealer.
Operations performedSep 2016On September 1, 2016 a new trojan downloader became available to purchase on various Russian underground forums. Named 'Quant Loader' by its creator, the downloader has already been used to distribute the Locky Zepto crypto-ransomware, and Pony (aka Fareit) malware families.
<https://www.forcepoint.com/blog/x-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground>
Mar 2018QuantLoader is a Trojan downloader that has been available for sale on underground forums for quite some time now. It has been used in campaigns serving a range of malware, including ransomware, Banking Trojans, and RATs. The campaign that we are going to analyze is serving a BackDoor.
<https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/>
Mar 2018Barracuda Threat Spotlight: New URL File Outbreak Could be a Ransomware Attempt
<https://blog.barracuda.com/2018/04/10/barracuda-threat-spotlight-new-url-file-outbreak-could-be-a-ransomware-attempt/>
Information<https://www.forcepoint.com/blog/x-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground>
<https://www.forcepoint.com/zh-hant/blog/security-labs/quantize-or-capitalize>

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: Gnosticplayers
Next: Hacking Team

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key