Ransomware
6
mins read

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Shreya Talukdar
November 4, 2023
Green Alert
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Bablu Kumar

Category:  Malware Intelligence

Motivation: Financial

Region:  Global

Source*

C: Fairly reliable

1: Confirmed by independent sources

Executive Summary

On 23 October 2023,  CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations. The ransomware targets Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions and the ESXi variant is under development. The encrypter has been packed using UPX.

Ransomware as a Service (RaaS) is a criminal business model where individuals or groups of cybercriminals create and distribute ransomware to other malicious actors, often for a fee or a percentage of the profits. RaaS enables less technically skilled individuals to become involved in cybercrime and launch ransomware attacks.

With various encryption schemes, the encrypter can also stop services and terminate processes that could interfere with the encryption of files.

The threat actor also offers a separate program called File Stealer that is designed for exfiltrating files to an online file-sharing platform called mega[.]nz. 

Analysis and Attribution

The key features and offerings of this ransomware are as follows as claimed by the threat actor:

  • Efficient Concurrency: Utilizing Go's capabilities, this ransomware promises faster execution, lower detection rates, and enhanced versatility.
  • Cross-Platform Compatibility: The ransomware has been tested on both Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions.
  • ESXi Variant: An ESXi variant is mentioned to be in the early stages of development, indicating potential expansion into the virtualization environment.
  • Unique Builds: The ransomware generates unique builds for each operation, reducing the risk of detection and obviating the need for a crypter.
  • Key Features: The ransomware offers fast encryption using a hybrid logic (Salsa20 + RSA 2048), various encryption modes (Full, Partial, and Smart), timely execution, obscured binaries, anti-analysis techniques, direct syscalls, multi-threading, and a decryption tool.
  • Customization: The threat actor offers customization options, including pre-execution shell-code injection, file exfiltration, and personalized information gathering about the target system, all at no extra cost.

Threat actor announcing a new ransomware service (RaaS) named QBit

Upon closer examination of the post, our source has unearthed a significant level of interest from multiple threat actors. Notably, some individuals expressed curiosity about the profit-sharing arrangement. In response, the original poster (OP) revealed that the division is set at 85/15, signifying that 85% of the profits are allocated to the affiliate, while the remaining 15% is retained by the Ransomware as a Service (RaaS) provider.

OP discussing the profit-sharing arrangement

Analysis of its Functionalities

The piece of malware (encrypter) was packed using a well-known open-source packer known as UPX. Before unpacking the size of the malware was 1.4 MB with an entropy level of 8. Upon unpacking the binary, the malware expanded to a size of 4.92 megabytes. When writing this, there have been no reported instances of this particular strain on VirusTotal.

During the execution, the binary presents users with multiple options such as:

  • -activation string: it’s set by the user to specify a particular date and time when the binary will get executed.
  • -log: this option enables the user to display log messages on the user interface.
  • -method string: Allows you to specify the encryption method. Options include "full," "partial," or "smart" (default is "full").
  • -nobk: If this option is used, the program won't change the desktop wallpaper during its operation.
  • -nodel: If provided, the program won't perform self-destruction after the encryption process is completed.
  • -nomutex: Deactivates Mutex. When set, the program can run multiple instances simultaneously.
  • -pass string: Requires a password to run the program.
  • -path string: Specifies the paths to be encrypted, separated by commas. If not provided, the program will encrypt all logical drives from A to Z.
  • -stopserv: Stops services and terminates processes that could interfere with the encryption of some files. This action typically requires ADMIN or SYSTEM privileges.
  • -thread int: Allows you to set the number of threads for processing (default is 4).

Functionalities come with the encrypter

Upon executing the ransomware using, “Encryptor.exe -log -pass=01 -method=smart”, we get the following popup:

The smart method uses intermittent technology to speed up the speed of encryption, meaning it only encrypts certain parts of the file/data.

The files, zip, and applications were encrypted with a .660 extension which is calculated based on the GUID (Globally Unique Identifier), a 128-bit unique identifier that is generated by the operating system (OS), or applications to uniquely identify resources, objects, components, or other items within the Windows environment. This extension remains constant for a particular user’s OS.

Since extensions are generally three letters long, it has taken the first three characters of the victim’s machine GUID as portrayed above. It is significant because the same 4-digit characters have been used to name the dropped image file in the temp directory as mentioned below.

Upon successful execution of the encrypter, we were able to spot the dropped file named 6609.jpg in the Temp directory.

The ransomware searches for the following file extensions to encrypt: com, exe, bat, cmd, vbs, vbe, js, jse, wsf, wsh, msc.

The following is the sample “readme-recover.txt” file that got dropped on the victim’s desktop. 

Change of desktop wallpaper after encryptor execution

Qbit group additionally offers the following:

  • Advanced phishing methodologies for attacking different organizations that are offered as an optional package with an extra fee.
  • They have a separate program called File Stealer, which they have advertised on underground forums in the past. It can be used to exfiltrate large amounts of files to mega.nz drive by default. 

They provide a custom solution as well so the files are directly exfiltrated to the threat actor’s RDP/VPS of choice instead of mega[.]nz.

Threat Actor Activity and Rating

Threat Actor Profiling

Active since

23 October 2023 (on RansomedVC)

Reputation

Low

Current Status

Active

History

RaaS (developing ransomware and stealer, source: HUMINT)

Rating 

C: Fairly reliable

1: Confirmed by independent Sources

Indicators of Compromise (IoCs)

Files Obtained

6609.jpg

C:\Users\john doe\AppData\Local\Temp

Readme-recover.txt

C:\Users\john doe\Desktop

SHA256

Packed Malware: 3d8722a8bb75f7bfe699ad691e0dd46fb6f8c105ab3c3866f48e587d44d92abf

Unpacked Malware: 204d3d3e61e61771185265afa508a1db574ace3f50afcb20a3ebc41d30519108






Author

Shreya Talukdar

Cyber Threat Intelligence Researcher

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
Malware
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Ransomware

6

min read

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Authors
Shreya Talukdar
Cyber Threat Intelligence Researcher
Co-Authors
Bablu Kumar

Category:  Malware Intelligence

Motivation: Financial

Region:  Global

Source*

C: Fairly reliable

1: Confirmed by independent sources

Executive Summary

On 23 October 2023,  CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations. The ransomware targets Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions and the ESXi variant is under development. The encrypter has been packed using UPX.

Ransomware as a Service (RaaS) is a criminal business model where individuals or groups of cybercriminals create and distribute ransomware to other malicious actors, often for a fee or a percentage of the profits. RaaS enables less technically skilled individuals to become involved in cybercrime and launch ransomware attacks.

With various encryption schemes, the encrypter can also stop services and terminate processes that could interfere with the encryption of files.

The threat actor also offers a separate program called File Stealer that is designed for exfiltrating files to an online file-sharing platform called mega[.]nz. 

Analysis and Attribution

The key features and offerings of this ransomware are as follows as claimed by the threat actor:

  • Efficient Concurrency: Utilizing Go's capabilities, this ransomware promises faster execution, lower detection rates, and enhanced versatility.
  • Cross-Platform Compatibility: The ransomware has been tested on both Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions.
  • ESXi Variant: An ESXi variant is mentioned to be in the early stages of development, indicating potential expansion into the virtualization environment.
  • Unique Builds: The ransomware generates unique builds for each operation, reducing the risk of detection and obviating the need for a crypter.
  • Key Features: The ransomware offers fast encryption using a hybrid logic (Salsa20 + RSA 2048), various encryption modes (Full, Partial, and Smart), timely execution, obscured binaries, anti-analysis techniques, direct syscalls, multi-threading, and a decryption tool.
  • Customization: The threat actor offers customization options, including pre-execution shell-code injection, file exfiltration, and personalized information gathering about the target system, all at no extra cost.

Threat actor announcing a new ransomware service (RaaS) named QBit

Upon closer examination of the post, our source has unearthed a significant level of interest from multiple threat actors. Notably, some individuals expressed curiosity about the profit-sharing arrangement. In response, the original poster (OP) revealed that the division is set at 85/15, signifying that 85% of the profits are allocated to the affiliate, while the remaining 15% is retained by the Ransomware as a Service (RaaS) provider.

OP discussing the profit-sharing arrangement

Analysis of its Functionalities

The piece of malware (encrypter) was packed using a well-known open-source packer known as UPX. Before unpacking the size of the malware was 1.4 MB with an entropy level of 8. Upon unpacking the binary, the malware expanded to a size of 4.92 megabytes. When writing this, there have been no reported instances of this particular strain on VirusTotal.

During the execution, the binary presents users with multiple options such as:

  • -activation string: it’s set by the user to specify a particular date and time when the binary will get executed.
  • -log: this option enables the user to display log messages on the user interface.
  • -method string: Allows you to specify the encryption method. Options include "full," "partial," or "smart" (default is "full").
  • -nobk: If this option is used, the program won't change the desktop wallpaper during its operation.
  • -nodel: If provided, the program won't perform self-destruction after the encryption process is completed.
  • -nomutex: Deactivates Mutex. When set, the program can run multiple instances simultaneously.
  • -pass string: Requires a password to run the program.
  • -path string: Specifies the paths to be encrypted, separated by commas. If not provided, the program will encrypt all logical drives from A to Z.
  • -stopserv: Stops services and terminates processes that could interfere with the encryption of some files. This action typically requires ADMIN or SYSTEM privileges.
  • -thread int: Allows you to set the number of threads for processing (default is 4).

Functionalities come with the encrypter

Upon executing the ransomware using, “Encryptor.exe -log -pass=01 -method=smart”, we get the following popup:

The smart method uses intermittent technology to speed up the speed of encryption, meaning it only encrypts certain parts of the file/data.

The files, zip, and applications were encrypted with a .660 extension which is calculated based on the GUID (Globally Unique Identifier), a 128-bit unique identifier that is generated by the operating system (OS), or applications to uniquely identify resources, objects, components, or other items within the Windows environment. This extension remains constant for a particular user’s OS.

Since extensions are generally three letters long, it has taken the first three characters of the victim’s machine GUID as portrayed above. It is significant because the same 4-digit characters have been used to name the dropped image file in the temp directory as mentioned below.

Upon successful execution of the encrypter, we were able to spot the dropped file named 6609.jpg in the Temp directory.

The ransomware searches for the following file extensions to encrypt: com, exe, bat, cmd, vbs, vbe, js, jse, wsf, wsh, msc.

The following is the sample “readme-recover.txt” file that got dropped on the victim’s desktop. 

Change of desktop wallpaper after encryptor execution

Qbit group additionally offers the following:

  • Advanced phishing methodologies for attacking different organizations that are offered as an optional package with an extra fee.
  • They have a separate program called File Stealer, which they have advertised on underground forums in the past. It can be used to exfiltrate large amounts of files to mega.nz drive by default. 

They provide a custom solution as well so the files are directly exfiltrated to the threat actor’s RDP/VPS of choice instead of mega[.]nz.

Threat Actor Activity and Rating

Threat Actor Profiling

Active since

23 October 2023 (on RansomedVC)

Reputation

Low

Current Status

Active

History

RaaS (developing ransomware and stealer, source: HUMINT)

Rating 

C: Fairly reliable

1: Confirmed by independent Sources

Indicators of Compromise (IoCs)

Files Obtained

6609.jpg

C:\Users\john doe\AppData\Local\Temp

Readme-recover.txt

C:\Users\john doe\Desktop

SHA256

Packed Malware: 3d8722a8bb75f7bfe699ad691e0dd46fb6f8c105ab3c3866f48e587d44d92abf

Unpacked Malware: 204d3d3e61e61771185265afa508a1db574ace3f50afcb20a3ebc41d30519108