The new Dark Web threat is on sale!


A new information thief has arrived on the dark web markets. Known as the qBit thief, this information stealer came to light when the QBit Ransomware-as-a-Service (RaaS) group released its capabilities and features on its dark web portal.

The thief-associated ransomware is capable of obtaining files from its victims’ systems, thereby preventing detection by onboard security systems. The qBit thief was introduced by the ransomware group on October 9, 2023, benefiting from its unique capabilities and features.

Understanding the QBit thief; Features and Capabilities

qBit RaaS, qBit Thief
Source: Cyblé

THE Cyble Research and Intelligence Laboratories (CRIL) discovered that the QBit thief’s source code was being sold for free on Dark Web channels. The information thief would be undetectable by endpoint detection and response (EDR) solutions and has sophisticated facets to target its victims.

This tool demonstrates its prowess by quickly uploading files to Mega(.)nz, using an advanced concurrency engine.

According to CRIL, the QBit thief, unlike the others information thieves in markets, selectively targets files with specific extensions, hinting at its potential role as an exfiltration tool in ransomware operations.

CRIL analysis revealed that qBitStealer source code includes several key files, including compile.bat, config.json, internal.go, qBitStealer.go, function.go, and megaFunc.go.

Additionally, the code uses anti-debugging and anti-virtualization/sandbox techniques, ensuring a higher level of evasion.

Leaked source code details

Bit thief
Source: Cyblé

The leaked source code includes a batch script and a configuration file named “config.json”. This file describes critical settings, such as API credentials for Mega(.)nz authentication, file system path, stolen folder name, maximum file size, split size for files large files, the targeted file extensions and the operating mode (manual or automatic).

qBit Stealer, source code
Source: Cyblé

Additionally, QBit Stealer takes a meticulous approach to data exfiltration. It creates an instance of the Mega(.)nz API, targets the specified paths to steal data, and converts the stolen data into a “.tar.gz” file. The file is then split into smaller pieces for simultaneous downloading, demonstrating a sophisticated and efficient exfiltration process.

Mitigation against QBit thief

The QBit thief is another threat promoted on Dark Web platforms. The Cyber ​​Express previously covered new information stealers with unique abilities and hindering detections for weeks.

This particular information stealer is feature-rich and easy to access even for low-level hackers and ransomware groups, making it an imminent risk. dark web threat.

Releasing qBitStealer source code poses a high risk because it may attract less sophisticated threat actors, thereby inadvertently increasing the number of cyberattacks.

Its unique file targeting functionality aligns with evolving ransomware attack tactics, making the ransomware group threatening users across all industries.

CRIL recommends strengthening endpoint security with updated EDR solutions, deploying data loss prevention (DLP) solutions to monitor and block unauthorized data transfers, and using antivirus and security software. reputable internet security on all devices.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber ​​Express assumes no responsibility for the accuracy or consequences of the use of this information.

Leave a comment