🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.
Schedule a DemoCategory: Malware Intelligence
Motivation: Financial
Region: Global
Source*:
C: Fairly reliable
1: Confirmed by independent sources
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations. The ransomware targets Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions and the ESXi variant is under development. The encrypter has been packed using UPX.
Ransomware as a Service (RaaS) is a criminal business model where individuals or groups of cybercriminals create and distribute ransomware to other malicious actors, often for a fee or a percentage of the profits. RaaS enables less technically skilled individuals to become involved in cybercrime and launch ransomware attacks.
With various encryption schemes, the encrypter can also stop services and terminate processes that could interfere with the encryption of files.
The threat actor also offers a separate program called File Stealer that is designed for exfiltrating files to an online file-sharing platform called mega[.]nz.
The key features and offerings of this ransomware are as follows as claimed by the threat actor:
Upon closer examination of the post, our source has unearthed a significant level of interest from multiple threat actors. Notably, some individuals expressed curiosity about the profit-sharing arrangement. In response, the original poster (OP) revealed that the division is set at 85/15, signifying that 85% of the profits are allocated to the affiliate, while the remaining 15% is retained by the Ransomware as a Service (RaaS) provider.
The piece of malware (encrypter) was packed using a well-known open-source packer known as UPX. Before unpacking the size of the malware was 1.4 MB with an entropy level of 8. Upon unpacking the binary, the malware expanded to a size of 4.92 megabytes. When writing this, there have been no reported instances of this particular strain on VirusTotal.
During the execution, the binary presents users with multiple options such as:
Upon executing the ransomware using, “Encryptor.exe -log -pass=01 -method=smart”, we get the following popup:
The smart method uses intermittent technology to speed up the speed of encryption, meaning it only encrypts certain parts of the file/data.
The files, zip, and applications were encrypted with a .660 extension which is calculated based on the GUID (Globally Unique Identifier), a 128-bit unique identifier that is generated by the operating system (OS), or applications to uniquely identify resources, objects, components, or other items within the Windows environment. This extension remains constant for a particular user’s OS.
Since extensions are generally three letters long, it has taken the first three characters of the victim’s machine GUID as portrayed above. It is significant because the same 4-digit characters have been used to name the dropped image file in the temp directory as mentioned below.
Upon successful execution of the encrypter, we were able to spot the dropped file named 6609.jpg in the Temp directory.
The ransomware searches for the following file extensions to encrypt: com, exe, bat, cmd, vbs, vbe, js, jse, wsf, wsh, msc.
The following is the sample “readme-recover.txt” file that got dropped on the victim’s desktop.
Qbit group additionally offers the following:
They provide a custom solution as well so the files are directly exfiltrated to the threat actor’s RDP/VPS of choice instead of mega[.]nz.
CloudSEK’s TRIAD team created this report based on an analysis of the increasing trend of cryptocurrency counterfeiting, in which tokens impersonate government organizations to provide some legitimacy to their “rug pull” scams. An example of this scam is covered in this report where threat actors have created a counterfeit token named “BRICS”. This token is aimed at exploiting the focus on the BRICS Summit held in Kazan, Russia, and the increased interest in investments and expansion of the BRICS government organization which comprises different countries (Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates)
CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/
CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
6
min read
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Category: Malware Intelligence
Motivation: Financial
Region: Global
Source*:
C: Fairly reliable
1: Confirmed by independent sources
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations. The ransomware targets Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions and the ESXi variant is under development. The encrypter has been packed using UPX.
Ransomware as a Service (RaaS) is a criminal business model where individuals or groups of cybercriminals create and distribute ransomware to other malicious actors, often for a fee or a percentage of the profits. RaaS enables less technically skilled individuals to become involved in cybercrime and launch ransomware attacks.
With various encryption schemes, the encrypter can also stop services and terminate processes that could interfere with the encryption of files.
The threat actor also offers a separate program called File Stealer that is designed for exfiltrating files to an online file-sharing platform called mega[.]nz.
The key features and offerings of this ransomware are as follows as claimed by the threat actor:
Upon closer examination of the post, our source has unearthed a significant level of interest from multiple threat actors. Notably, some individuals expressed curiosity about the profit-sharing arrangement. In response, the original poster (OP) revealed that the division is set at 85/15, signifying that 85% of the profits are allocated to the affiliate, while the remaining 15% is retained by the Ransomware as a Service (RaaS) provider.
The piece of malware (encrypter) was packed using a well-known open-source packer known as UPX. Before unpacking the size of the malware was 1.4 MB with an entropy level of 8. Upon unpacking the binary, the malware expanded to a size of 4.92 megabytes. When writing this, there have been no reported instances of this particular strain on VirusTotal.
During the execution, the binary presents users with multiple options such as:
Upon executing the ransomware using, “Encryptor.exe -log -pass=01 -method=smart”, we get the following popup:
The smart method uses intermittent technology to speed up the speed of encryption, meaning it only encrypts certain parts of the file/data.
The files, zip, and applications were encrypted with a .660 extension which is calculated based on the GUID (Globally Unique Identifier), a 128-bit unique identifier that is generated by the operating system (OS), or applications to uniquely identify resources, objects, components, or other items within the Windows environment. This extension remains constant for a particular user’s OS.
Since extensions are generally three letters long, it has taken the first three characters of the victim’s machine GUID as portrayed above. It is significant because the same 4-digit characters have been used to name the dropped image file in the temp directory as mentioned below.
Upon successful execution of the encrypter, we were able to spot the dropped file named 6609.jpg in the Temp directory.
The ransomware searches for the following file extensions to encrypt: com, exe, bat, cmd, vbs, vbe, js, jse, wsf, wsh, msc.
The following is the sample “readme-recover.txt” file that got dropped on the victim’s desktop.
Qbit group additionally offers the following:
They provide a custom solution as well so the files are directly exfiltrated to the threat actor’s RDP/VPS of choice instead of mega[.]nz.