A new information stealer has arrived on the dark web markets. Known as the qBit stealer, this information stealer came into the spotlight when the QBit Ransomware-as-a-Service (RaaS) group posted its capabilities and features on its dark web portal.
The ransomware associated with the stealer is capable of obtaining files from its victim systems, hindering detection from the on-board security systems. The qBit stealer was introduced by the ransomware group on October 9, 2023, boasting its unique capabilities and features.
Understanding the QBit Stealer; Features and Capabilities
The Cyble Research and Intelligence Labs (CRIL) found the QBit stealer’s source code being sold for free on dark web channels. The information stealer is claimed to be undetectable by Endpoint Detection and Response solutions (EDRs) and features sophisticated facets to target its victims.
This tool demonstrates its prowess by swiftly uploading files to Mega[.]nz, employing an advanced concurrency engine.
According to CRIL, the QBit stealer, unlike other information stealers on the markets, selectively targets files with specific extensions, hinting at its potential role as an exfiltration tool in ransomware operations.
CRIL’s analysis revealed that qBitStealer’s source code comprises several key files, including compile.bat, config.json, internal.go, qBitStealer.go, functions.go, and megaFunc.go.
Additionally, the code employs anti-debugging and anti-virtualization/sandbox techniques, ensuring a higher level of evasion.
Details from Leaked Source Code
The leaked source code includes a batch script and a configuration file named “config.json”. This file outlines critical parameters, such as API credentials for Mega[.]nz authentication, file system path, stolen folder name, maximum file size, split size for large files, targeted file extensions, and operation mode (manual or automatic).
Additionally, QBit Stealer adopts a meticulous approach to data exfiltration. It creates an instance of the Mega[.]nz API, targets specified paths for stealing data and converts stolen data into a “.tar.gz” file. The file is then split into smaller chunks for concurrent uploading, demonstrating a sophisticated and efficient exfiltration process.
Mitigation Against QBit Stealer
The QBit stealer marks yet another threat being promoted on dark web platforms. The Cyber Express previously covered new information stealers with unique capabilities and hindering detections for weeks.
This particular information stealers comes packed with features and easy of access even to low-grade hackers and ransomware groups, making it a looming dark web threat.
The release of qBitStealer’s source code poses an elevated risk, as it may attract less sophisticated threat actors — inadvertently increasing the number of cyberattacks.
Its unique file-targeting feature aligns with evolving tactics in ransomware attacks, making the ransomware group threatening to users across industries.
CRIL recommends strengthening endpoint security with updated EDR solutions, deploying Data Loss Prevention (DLP) solutions to monitor and block unauthorized data transfers, and utilizing reputable antivirus and internet security software on all devices.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
