Key Takeaways
-
- On September 29, 2023, the QBit Ransomware-as-a-Service (RaaS) group introduced a newly developed ransomware crafted in Go.
-
- On October 9, 2023, the QBit Team unveiled qBit Stealer, developed in the Go language, highlighting its claim of being undetectable by Endpoint Detection and Response solutions (EDRs).
-
- This stealer is proficient in uploading any file to Mega[.]nz, utilizing an advanced concurrency engine for swift uploads. The stealer is available for purchase, and a trial version is accessible.
-
- On December 5, 2023, the qBitStealer’s source code was announced to be distributed freely.
-
- Upon analyzing qBit Stealer’s source code, Cyble Research and Intelligence Labs (CRIL) discovered a distinctive feature: unlike other stealers, qBit selectively targets files with specific extensions. This characteristic implies its potential use as an exfiltration tool in ransomware operations.
-
- Given that this stealer is now accessible without any attached cost, there is a heightened risk of its utilization by numerous new, less sophisticated Threat Actors (TAs).
Overview
In September 2023, the QBit Ransomware-as-a-Service (RaaS) group unveiled a new ransomware created in the Go programming language. This malware is highly advanced and can target both Windows (from Windows 7 to Windows 11) and various Linux distributions. Additionally, they hinted at developing a version for ESXi.
On October 9, 2023, QBit introduced qBit Stealer, a stealthy tool written in Go. The TA claims that qBit stealer can go undetected by security solutions and can quickly upload files to Mega[.]nz. The stealer is available for purchase, including a trial version.
However, on December 5, 2023, one of the TAs behind Qbit released the code of qBitStealer for free on a known cybercrime forum. Later, we also observed the same code being posted on different cybercrime forums.
CRIL’s findings revealed that qBitStealer stands out by only stealing files with specific extensions. This distinctive behavior suggests a potential alignment with data theft, pointing toward its potential use in ransomware operations. In contrast, other stealers typically focus on pilfering sensitive data from various applications without being as selective in their approach.
The figure below shows the source code of qBit stealer.
Source Code Analysis
The source code of this qBit Stealer consists of the following files:
| File Name | Description |
| compile.bat | Batch script for generating stealer exe file |
| config.json | Configuration File |
| internal.go | Contains defined arrays and Structures |
| qBitStealer.go | Main Stealer File |
| functions.go | Utility functions and dependencies used by the qBitStealer.go file. |
| megaFunc.go | Mega API client |
Anti-Debugging
Qbit Stealer uses the NtQueryInformationProcess() function to retrieve information about the current process. The code checks whether the Process Environment Block (PEB) contains the “BeingDebugged” flag. A non-zero value suggests the presence of a debugger or virtual machine. The figure below shows the code for the anti-debugging check.
Anti-Virtualization/Sandbox
This stealer checks whether it is being executed in an environment associated with specific processes commonly used for analysis or debugging. It iterates over a list of predefined processes mentioned in the table below. If a match is found with any of the running processes, the stealer exits with an exit code of 1.
| ProcessHacker.exe | joeboxserver.exe | x96dbg.exe |
| httpdebuggerui.exe | devenv.exe | prl_cc.exe |
| wireshark.exe | IMMUNITYDEBUGGER.EXE | prl_tools.exe |
| fiddler.exe | ImportREC.exe | qemu-ga.exe |
| regedit.exe | reshacker.exe | joeboxcontrol.exe |
| cmd.exe | windbg.exe | ksdumperclient.exe |
| taskmgr.exe | 32dbg.exe | xenservice.exe |
| df5serv.exe | 64dbg.exex | idaq64.exe |
| processhacker.exe | protection_id.exe | idaq.exe |
| ida64.exe | scylla_x86.exe | idaw.exe |
| ollydbg.exe | scylla_x64.exe | idag64.exe |
| pestudio.exe | scylla.exe | idag.exe |
| x32dbg.exe | idau64.exe | ida64.exe |
| x64dbg.exe | idau.exe | ida.exe |
The figure below shows the code for iterating through the list of running processes.
Configuration
The leaked source code of qBit stealer also includes a batch script designed to produce the qBit stealer executable along with a configuration file named “config.json.” The figure below shows the configuration file.
The configuration file consists of the following fields:
API Credentials (API): The ID and password within the API object are used for authentication with the Mega[.]nz API. The stealer logs into the Mega[.]nz cloud storage service to upload stolen files.
File System Path (Path): The Path field specifies the initial file system path from which the stealer will start searching for files to exfiltrate. If not specified or inaccessible, it defaults to using all available drives.
Stolen Folder Name (StolenFolderName): This parameter determines the name of the folder on the Mega[.]nz cloud where stolen files will be stored. In this case, it is set to “test_folder.”
Maximum File Size (MaxFileSizeMB): The MaxFileSizeMB field defines the maximum size of files (in megabytes) that the stealer will upload. Files larger than this limit will be excluded; by default, this is set to 150MB.
Split Size (SplitSize): It specifies the size (in MegaBytes) at which large zip files will split during the upload process; by default, this is set to 50MB.
Targeted File Extensions (TargetedFileExtensions): This is an array of file extensions that the stealer is configured to target. Only files with these extensions will be considered for exfiltration; by default, it targets .txt, .pdf, and .docx files.
Operation Mode (Mode): The Mode field defines the operation mode of the stealer. In this case, it is set to “MANUAL,” indicating a manual mode of operation. In this mode, the attacker can use the following command line option:
| Parameter | Function |
| b | BEGIN |
| r | RELOAD CONFIG |
| e | Exit |
The AUTO mode is used to exfiltrate data automatically with the same configuration.
Data Exfiltration
Before exfiltrating the data, qBit stealer creates a new instance of the Mega[.]nz API client. Then, it checks whether “StolenFolderName” is specified in the configuration file. If it is not specified in the configuration file, it sets the folder name to the computer username obtained using the getComputerUsername() function and creates a folder in the %temp% directory. This folder is utilized to store the stolen data, and it will be later compressed into a ‘.tar.gz’ file.
qBit stealer targets paths specified in “StolenFolderName” for stealing data. If no specific paths are provided, it defaults to obtaining files from all available drives using the getDrives function. It walks through the specified paths and subdirectories, filtering files based on their extension and size. The figure below shows the code for iterating directories.
Next, the stealer converts the stolen data into a “.tar.gz” file. If the size of this archive is more than the size specified in the configuration, it splits the file into smaller chunks. The code then uses goroutines to concurrently upload each split file. The sync.WaitGroup is used to wait for all the uploads to complete.
After the uploads are complete, a cleanup routine is scheduled using time.AfterFunc. It waits for 15 seconds and then attempts to remove the archive file.
The figure below shows the code for file upload.
Conclusion
The release of qBitStealer’s source code, coupled with its distinct feature of selectively targeting files, poses a heightened risk of adoption by less sophisticated TAs. The availability of this tool may contribute to an increased prevalence of cyber threats, as it enables individuals with lower expertise to potentially engage in malicious activities.
Moreover, the specific targeting of files by qBitStealer aligns with the evolving tactics seen in ransomware attacks, particularly those involving double extortion. The threat of exposing sensitive data along with encryption increases the leverage of cybercriminals. In this landscape, qBitStealer could serve as a valuable tool for TAs seeking to exfiltrate critical data before initiating a ransomware attack, amplifying the potential harm to targeted entities.
Our Recommendations
-
- Strengthen endpoint security measures, including the use of updated and robust Endpoint Detection and Response (EDR) solutions.
-
- Deploy DLP solutions that can monitor, detect, and block unauthorized attempts to transfer sensitive data outside the organization. These solutions can be configured to enforce policies regarding data movement.
-
- Use reputed anti-virus and internet security software packages on your devices, including PCs, laptops, and mobiles.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Execution (TA0002) | User Execution (T1204) | The user needs to manually execute the malicious file downloaded from the phishing site. |
| Defense Evasion (TA0005) | Virtualization/Sandbox Evasion (T1497) | Performing Anti-VM/Anti-Debug technique for evasion |
| Discovery (TA0007) | Process Discovery (T1057) | The malware captures all the running process |
| Discovery (TA0007) | Security Software Discovery (T1518.001) |
The malware is searching for processes associated with virtual machines and debuggers to forcibly terminate. |
| Collection (TA0009) | Data from the Local System (T1005) |
The malware collects sensitive data from the victim’s system. |
| Exfiltration (TA0010) |
Automated Exfiltration (T1020.001) | Automatically exfiltrates the stolen data. |
| Exfiltration (TA0010) |
Data Transfer Size Limits (T1030) | qBit Stealer exfiltrate the final zip file in chunks if its size is more than the specified value by the TA. |
| Exfiltration (TA0010) |
Exfiltration to Cloud Storage (T1567.002) | Exfiltrates data to Mega[.]nz |
Indicators Of Compromise
| Indicators | Indicator Type |
Description |
| de19769403aad543997616776ff8aab9 9ae9d760c4d117f6eef5d439b7814eb6d4903194 36a4842f4090dcc5979f3515d62b3218dd84133b8b633050dd07cc332dca2055 |
MD5 SHA1 SHA256 |
qBit Stealer Source Code |
Source: https://cyble.com/blog/decoding-qbit-stealers-source-release-and-data-exfiltration-prowess/