Category: Malware Intelligence
C: Fairly reliable
1: Confirmed by independent sources
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations. The ransomware targets Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions and the ESXi variant is under development. The encrypter has been packed using UPX.
Ransomware as a Service (RaaS) is a criminal business model where individuals or groups of cybercriminals create and distribute ransomware to other malicious actors, often for a fee or a percentage of the profits. RaaS enables less technically skilled individuals to become involved in cybercrime and launch ransomware attacks.
With various encryption schemes, the encrypter can also stop services and terminate processes that could interfere with the encryption of files.
The threat actor also offers a separate program called File Stealer that is designed for exfiltrating files to an online file-sharing platform called mega[.]nz.
Analysis and Attribution
The key features and offerings of this ransomware are as follows as claimed by the threat actor:
- Efficient Concurrency: Utilizing Go's capabilities, this ransomware promises faster execution, lower detection rates, and enhanced versatility.
- Cross-Platform Compatibility: The ransomware has been tested on both Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions.
- ESXi Variant: An ESXi variant is mentioned to be in the early stages of development, indicating potential expansion into the virtualization environment.
- Unique Builds: The ransomware generates unique builds for each operation, reducing the risk of detection and obviating the need for a crypter.
- Key Features: The ransomware offers fast encryption using a hybrid logic (Salsa20 + RSA 2048), various encryption modes (Full, Partial, and Smart), timely execution, obscured binaries, anti-analysis techniques, direct syscalls, multi-threading, and a decryption tool.
- Customization: The threat actor offers customization options, including pre-execution shell-code injection, file exfiltration, and personalized information gathering about the target system, all at no extra cost.
Upon closer examination of the post, our source has unearthed a significant level of interest from multiple threat actors. Notably, some individuals expressed curiosity about the profit-sharing arrangement. In response, the original poster (OP) revealed that the division is set at 85/15, signifying that 85% of the profits are allocated to the affiliate, while the remaining 15% is retained by the Ransomware as a Service (RaaS) provider.
Analysis of its Functionalities
The piece of malware (encrypter) was packed using a well-known open-source packer known as UPX. Before unpacking the size of the malware was 1.4 MB with an entropy level of 8. Upon unpacking the binary, the malware expanded to a size of 4.92 megabytes. When writing this, there have been no reported instances of this particular strain on VirusTotal.
During the execution, the binary presents users with multiple options such as:
- -activation string: it’s set by the user to specify a particular date and time when the binary will get executed.
- -log: this option enables the user to display log messages on the user interface.
- -method string: Allows you to specify the encryption method. Options include "full," "partial," or "smart" (default is "full").
- -nobk: If this option is used, the program won't change the desktop wallpaper during its operation.
- -nodel: If provided, the program won't perform self-destruction after the encryption process is completed.
- -nomutex: Deactivates Mutex. When set, the program can run multiple instances simultaneously.
- -pass string: Requires a password to run the program.
- -path string: Specifies the paths to be encrypted, separated by commas. If not provided, the program will encrypt all logical drives from A to Z.
- -stopserv: Stops services and terminates processes that could interfere with the encryption of some files. This action typically requires ADMIN or SYSTEM privileges.
- -thread int: Allows you to set the number of threads for processing (default is 4).
Upon executing the ransomware using, “Encryptor.exe -log -pass=01 -method=smart”, we get the following popup:
The smart method uses intermittent technology to speed up the speed of encryption, meaning it only encrypts certain parts of the file/data.
The files, zip, and applications were encrypted with a .660 extension which is calculated based on the GUID (Globally Unique Identifier), a 128-bit unique identifier that is generated by the operating system (OS), or applications to uniquely identify resources, objects, components, or other items within the Windows environment. This extension remains constant for a particular user’s OS.
Since extensions are generally three letters long, it has taken the first three characters of the victim’s machine GUID as portrayed above. It is significant because the same 4-digit characters have been used to name the dropped image file in the temp directory as mentioned below.
Upon successful execution of the encrypter, we were able to spot the dropped file named 6609.jpg in the Temp directory.
The ransomware searches for the following file extensions to encrypt: com, exe, bat, cmd, vbs, vbe, js, jse, wsf, wsh, msc.
The following is the sample “readme-recover.txt” file that got dropped on the victim’s desktop.
Qbit group additionally offers the following:
- Advanced phishing methodologies for attacking different organizations that are offered as an optional package with an extra fee.
- They have a separate program called File Stealer, which they have advertised on underground forums in the past. It can be used to exfiltrate large amounts of files to mega.nz drive by default.
They provide a custom solution as well so the files are directly exfiltrated to the threat actor’s RDP/VPS of choice instead of mega[.]nz.