6
mins read

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Shreya Talukdar
November 4, 2023
Green Alert
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Bablu Kumar

Category:  Malware Intelligence

Motivation: Financial

Region:  Global

Source*

C: Fairly reliable

1: Confirmed by independent sources

Executive Summary

On 23 October 2023,  CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations. The ransomware targets Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions and the ESXi variant is under development. The encrypter has been packed using UPX.

Ransomware as a Service (RaaS) is a criminal business model where individuals or groups of cybercriminals create and distribute ransomware to other malicious actors, often for a fee or a percentage of the profits. RaaS enables less technically skilled individuals to become involved in cybercrime and launch ransomware attacks.

With various encryption schemes, the encrypter can also stop services and terminate processes that could interfere with the encryption of files.

The threat actor also offers a separate program called File Stealer that is designed for exfiltrating files to an online file-sharing platform called mega[.]nz. 

Analysis and Attribution

The key features and offerings of this ransomware are as follows as claimed by the threat actor:

  • Efficient Concurrency: Utilizing Go's capabilities, this ransomware promises faster execution, lower detection rates, and enhanced versatility.
  • Cross-Platform Compatibility: The ransomware has been tested on both Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions.
  • ESXi Variant: An ESXi variant is mentioned to be in the early stages of development, indicating potential expansion into the virtualization environment.
  • Unique Builds: The ransomware generates unique builds for each operation, reducing the risk of detection and obviating the need for a crypter.
  • Key Features: The ransomware offers fast encryption using a hybrid logic (Salsa20 + RSA 2048), various encryption modes (Full, Partial, and Smart), timely execution, obscured binaries, anti-analysis techniques, direct syscalls, multi-threading, and a decryption tool.
  • Customization: The threat actor offers customization options, including pre-execution shell-code injection, file exfiltration, and personalized information gathering about the target system, all at no extra cost.

Threat actor announcing a new ransomware service (RaaS) named QBit

Upon closer examination of the post, our source has unearthed a significant level of interest from multiple threat actors. Notably, some individuals expressed curiosity about the profit-sharing arrangement. In response, the original poster (OP) revealed that the division is set at 85/15, signifying that 85% of the profits are allocated to the affiliate, while the remaining 15% is retained by the Ransomware as a Service (RaaS) provider.

OP discussing the profit-sharing arrangement

Analysis of its Functionalities

The piece of malware (encrypter) was packed using a well-known open-source packer known as UPX. Before unpacking the size of the malware was 1.4 MB with an entropy level of 8. Upon unpacking the binary, the malware expanded to a size of 4.92 megabytes. When writing this, there have been no reported instances of this particular strain on VirusTotal.

During the execution, the binary presents users with multiple options such as:

  • -activation string: it’s set by the user to specify a particular date and time when the binary will get executed.
  • -log: this option enables the user to display log messages on the user interface.
  • -method string: Allows you to specify the encryption method. Options include "full," "partial," or "smart" (default is "full").
  • -nobk: If this option is used, the program won't change the desktop wallpaper during its operation.
  • -nodel: If provided, the program won't perform self-destruction after the encryption process is completed.
  • -nomutex: Deactivates Mutex. When set, the program can run multiple instances simultaneously.
  • -pass string: Requires a password to run the program.
  • -path string: Specifies the paths to be encrypted, separated by commas. If not provided, the program will encrypt all logical drives from A to Z.
  • -stopserv: Stops services and terminates processes that could interfere with the encryption of some files. This action typically requires ADMIN or SYSTEM privileges.
  • -thread int: Allows you to set the number of threads for processing (default is 4).

Functionalities come with the encrypter

Upon executing the ransomware using, “Encryptor.exe -log -pass=01 -method=smart”, we get the following popup:

The smart method uses intermittent technology to speed up the speed of encryption, meaning it only encrypts certain parts of the file/data.

The files, zip, and applications were encrypted with a .660 extension which is calculated based on the GUID (Globally Unique Identifier), a 128-bit unique identifier that is generated by the operating system (OS), or applications to uniquely identify resources, objects, components, or other items within the Windows environment. This extension remains constant for a particular user’s OS.

Since extensions are generally three letters long, it has taken the first three characters of the victim’s machine GUID as portrayed above. It is significant because the same 4-digit characters have been used to name the dropped image file in the temp directory as mentioned below.

Upon successful execution of the encrypter, we were able to spot the dropped file named 6609.jpg in the Temp directory.

The ransomware searches for the following file extensions to encrypt: com, exe, bat, cmd, vbs, vbe, js, jse, wsf, wsh, msc.

The following is the sample “readme-recover.txt” file that got dropped on the victim’s desktop. 

Change of desktop wallpaper after encryptor execution

Qbit group additionally offers the following:

  • Advanced phishing methodologies for attacking different organizations that are offered as an optional package with an extra fee.
  • They have a separate program called File Stealer, which they have advertised on underground forums in the past. It can be used to exfiltrate large amounts of files to mega.nz drive by default. 

They provide a custom solution as well so the files are directly exfiltrated to the threat actor’s RDP/VPS of choice instead of mega[.]nz.

Threat Actor Activity and Rating

Threat Actor Profiling

Active since

23 October 2023 (on RansomedVC)

Reputation

Low

Current Status

Active

History

RaaS (developing ransomware and stealer, source: HUMINT)

Rating 

C: Fairly reliable

1: Confirmed by independent Sources

Indicators of Compromise (IoCs)

Files Obtained

6609.jpg

C:\Users\john doe\AppData\Local\Temp

Readme-recover.txt

C:\Users\john doe\Desktop

SHA256

Packed Malware: 3d8722a8bb75f7bfe699ad691e0dd46fb6f8c105ab3c3866f48e587d44d92abf

Unpacked Malware: 204d3d3e61e61771185265afa508a1db574ace3f50afcb20a3ebc41d30519108






Author

Shreya Talukdar

Cyber Threat Intelligence Researcher

Predict Cyber threats against your organization

Related Posts
Blog Image
October 25, 2024

The BRICS-Bait Rug Pull – How Scammers Use International Credibility to Deceive Investors

CloudSEK’s TRIAD team created this report based on an analysis of the increasing trend of cryptocurrency counterfeiting, in which tokens impersonate government organizations to provide some legitimacy to their “rug pull” scams. An example of this scam is covered in this report where threat actors have created a counterfeit token named “BRICS”. This token is aimed at exploiting the focus on the BRICS Summit held in Kazan, Russia, and the increased interest in investments and expansion of the BRICS government organization which comprises different countries (Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates)

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Ransomware

6

min read

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Authors
Shreya Talukdar
Cyber Threat Intelligence Researcher
Co-Authors

Category:  Malware Intelligence

Motivation: Financial

Region:  Global

Source*

C: Fairly reliable

1: Confirmed by independent sources

Executive Summary

On 23 October 2023,  CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations. The ransomware targets Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions and the ESXi variant is under development. The encrypter has been packed using UPX.

Ransomware as a Service (RaaS) is a criminal business model where individuals or groups of cybercriminals create and distribute ransomware to other malicious actors, often for a fee or a percentage of the profits. RaaS enables less technically skilled individuals to become involved in cybercrime and launch ransomware attacks.

With various encryption schemes, the encrypter can also stop services and terminate processes that could interfere with the encryption of files.

The threat actor also offers a separate program called File Stealer that is designed for exfiltrating files to an online file-sharing platform called mega[.]nz. 

Analysis and Attribution

The key features and offerings of this ransomware are as follows as claimed by the threat actor:

  • Efficient Concurrency: Utilizing Go's capabilities, this ransomware promises faster execution, lower detection rates, and enhanced versatility.
  • Cross-Platform Compatibility: The ransomware has been tested on both Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions.
  • ESXi Variant: An ESXi variant is mentioned to be in the early stages of development, indicating potential expansion into the virtualization environment.
  • Unique Builds: The ransomware generates unique builds for each operation, reducing the risk of detection and obviating the need for a crypter.
  • Key Features: The ransomware offers fast encryption using a hybrid logic (Salsa20 + RSA 2048), various encryption modes (Full, Partial, and Smart), timely execution, obscured binaries, anti-analysis techniques, direct syscalls, multi-threading, and a decryption tool.
  • Customization: The threat actor offers customization options, including pre-execution shell-code injection, file exfiltration, and personalized information gathering about the target system, all at no extra cost.

Threat actor announcing a new ransomware service (RaaS) named QBit

Upon closer examination of the post, our source has unearthed a significant level of interest from multiple threat actors. Notably, some individuals expressed curiosity about the profit-sharing arrangement. In response, the original poster (OP) revealed that the division is set at 85/15, signifying that 85% of the profits are allocated to the affiliate, while the remaining 15% is retained by the Ransomware as a Service (RaaS) provider.

OP discussing the profit-sharing arrangement

Analysis of its Functionalities

The piece of malware (encrypter) was packed using a well-known open-source packer known as UPX. Before unpacking the size of the malware was 1.4 MB with an entropy level of 8. Upon unpacking the binary, the malware expanded to a size of 4.92 megabytes. When writing this, there have been no reported instances of this particular strain on VirusTotal.

During the execution, the binary presents users with multiple options such as:

  • -activation string: it’s set by the user to specify a particular date and time when the binary will get executed.
  • -log: this option enables the user to display log messages on the user interface.
  • -method string: Allows you to specify the encryption method. Options include "full," "partial," or "smart" (default is "full").
  • -nobk: If this option is used, the program won't change the desktop wallpaper during its operation.
  • -nodel: If provided, the program won't perform self-destruction after the encryption process is completed.
  • -nomutex: Deactivates Mutex. When set, the program can run multiple instances simultaneously.
  • -pass string: Requires a password to run the program.
  • -path string: Specifies the paths to be encrypted, separated by commas. If not provided, the program will encrypt all logical drives from A to Z.
  • -stopserv: Stops services and terminates processes that could interfere with the encryption of some files. This action typically requires ADMIN or SYSTEM privileges.
  • -thread int: Allows you to set the number of threads for processing (default is 4).

Functionalities come with the encrypter

Upon executing the ransomware using, “Encryptor.exe -log -pass=01 -method=smart”, we get the following popup:

The smart method uses intermittent technology to speed up the speed of encryption, meaning it only encrypts certain parts of the file/data.

The files, zip, and applications were encrypted with a .660 extension which is calculated based on the GUID (Globally Unique Identifier), a 128-bit unique identifier that is generated by the operating system (OS), or applications to uniquely identify resources, objects, components, or other items within the Windows environment. This extension remains constant for a particular user’s OS.

Since extensions are generally three letters long, it has taken the first three characters of the victim’s machine GUID as portrayed above. It is significant because the same 4-digit characters have been used to name the dropped image file in the temp directory as mentioned below.

Upon successful execution of the encrypter, we were able to spot the dropped file named 6609.jpg in the Temp directory.

The ransomware searches for the following file extensions to encrypt: com, exe, bat, cmd, vbs, vbe, js, jse, wsf, wsh, msc.

The following is the sample “readme-recover.txt” file that got dropped on the victim’s desktop. 

Change of desktop wallpaper after encryptor execution

Qbit group additionally offers the following:

  • Advanced phishing methodologies for attacking different organizations that are offered as an optional package with an extra fee.
  • They have a separate program called File Stealer, which they have advertised on underground forums in the past. It can be used to exfiltrate large amounts of files to mega.nz drive by default. 

They provide a custom solution as well so the files are directly exfiltrated to the threat actor’s RDP/VPS of choice instead of mega[.]nz.

Threat Actor Activity and Rating

Threat Actor Profiling

Active since

23 October 2023 (on RansomedVC)

Reputation

Low

Current Status

Active

History

RaaS (developing ransomware and stealer, source: HUMINT)

Rating 

C: Fairly reliable

1: Confirmed by independent Sources

Indicators of Compromise (IoCs)

Files Obtained

6609.jpg

C:\Users\john doe\AppData\Local\Temp

Readme-recover.txt

C:\Users\john doe\Desktop

SHA256

Packed Malware: 3d8722a8bb75f7bfe699ad691e0dd46fb6f8c105ab3c3866f48e587d44d92abf

Unpacked Malware: 204d3d3e61e61771185265afa508a1db574ace3f50afcb20a3ebc41d30519108