Threat Research

Decoding QBit Stealer’s Source Release And Data Exfiltration Prowess – Cyble

Securonix

Cyble Research and Intelligence Labs detail the QBit RaaS group’s Go-based ransomware and the freely released qBit Stealer source code, highlighting its selective exfiltration approach and use of Mega.nz for uploads, which could expand adoption among new threat actors. The analysis notes anti-debugging/anti-virtualization checks, concurrent data uploads, and the potential to serve ransomware operators by enabling data exfiltration prior to encryption. #QBitRaaS #qBitStealer #Go #MegaNZ #CRIL #Cyble #SourceCode #Windows #Linux #ESXi

Keypoints

  • In September 2023, the QBit RaaS group announced a new ransomware written in Go.
  • On October 9, 2023, QBit introduced qBit Stealer (Go), claiming it can evade Endpoint Detection and Response (EDR) solutions.
  • The stealer can upload any file to Mega.nz using a concurrency engine and is offered for purchase with a trial version.
  • On December 5, 2023, qBitStealer’s source code was released for free on cybercrime forums.
  • CRIL found qBit Stealer selectively targets files with specific extensions, suggesting exfiltration use in ransomware operations.
  • The tool’s free availability increases the risk of adoption by many new, less sophisticated threat actors.

MITRE Techniques

  • [T1204] User Execution – The user needs to manually execute the malicious file downloaded from the phishing site. ‘The user needs to manually execute the malicious file downloaded from the phishing site.’
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM/Anti-Debug technique for evasion. ‘Anti-VM/Anti-Debug technique for evasion.’
  • [T1057] Process Discovery – The malware captures all the running process. ‘The malware captures all the running process.’
  • [T1518.001] Security Software Discovery – The malware is searching for processes associated with virtual machines and debuggers to forcibly terminate. ‘The malware is searching for processes associated with virtual machines and debuggers to forcibly terminate.’
  • [T1005] Data from Local System – The malware collects sensitive data from the victim’s system. ‘The malware collects sensitive data from the victim’s system.’
  • [T1020.001] Automated Exfiltration – Automatically exfiltrates the stolen data. ‘Automatically exfiltrates the stolen data.’
  • [T1030] Data Transfer Size Limits – qBit Stealer exfiltrate the final zip file in chunks if its size is more than the specified value by the TA. ‘qBit Stealer exfiltrate the final zip file in chunks if its size is more than the specified value by the TA.’
  • [T1567.002] Exfiltration to Cloud Storage – Exfiltrates data to Mega.nz. ‘Exfiltrates data to Mega.nz’
  • [T1059] Command-Line Interface – In Manual mode, the attacker can use command line options: BEGIN, RELOAD CONFIG, EXIT. ‘b’ -> BEGIN; ‘r’ -> RELOAD CONFIG; ‘e’ -> Exit’

Indicators of Compromise

  • [Hash] qBit Stealer Source Code – de19769403aad543997616776ff8aab9, 9ae9d760c4d117f6eef5d439b7814eb6d4903194, and 36a4842f4090dcc5979f3515d62b3218dd84133b8b633050dd07cc332dca2055

Read more: https://cyble.com/blog/decoding-qbit-stealers-source-release-and-data-exfiltration-prowess/