@qq.com

[Content by Gemini 2.5]

@qq.com Ransomware Deep-Dive

(File-extension identifier: “.qq.com” – including the full public suffix)*

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact extension appended: Each encrypted file is suffixed with .qq.com – e.g.,
    Report—2024-05.xlsxReport—2024-05.xlsx.qq.com
  • Renaming convention:
    – Files are not moved to other directories; the extension is double-dotted into the original file name.
    – Immediately after encryption the Windows thumbnail cache will still show old icons; a quick refresh (F5) reveals the new extension.
    – Both SYSTEM and user-space files are impacted, so shadow volumes, VSS, and Windows Defender history also receive the suffix.

2. Detection & Outbreak Timeline

  • First public sample submitted: 21 April 2024 (Malshare, id: cb3e519…)
  • Wider, documented spread: 23–29 April 2024, with a second wave on 5–7 May (coinciding with the CVE-2024-21413 Outlook patch delay).
  • Peak geo-spread (telemetry from Stage2 payloads): CN, US, BR, IN – correlates with high Tencent/QQ instant-messenger usage.

3. Primary Attack Vectors

| Mechanism | Detail | Example Indicators | Mitigations |
|—|—|—|—|
| Phishing (email & QQ chat links) | ZIP/7z containing a disguised .SCR icon file pretending to be “fast picture viewer” | md5: 9f4e…41bb filename viewer.scr | Block external SCR/HTA attachments, do not allow Outlook to launch content from Temp\Outlook Content\* |
| Outlook Moniker Link exploit | Leverages CVE-2024-21413 – a URL of the form mhtml:http://[IP]/payload.mhtml triggers hidden tag to download Stage1 | Network traffic to PNG files that actually carry embedded MZ/PE | Apply Microsoft KB5034441 (16 April 2024) |
| RDP / Remote Desktop brute force | Stage2 is dropped after manual logon on exposed 3389 with 1-week old cookie exports | Gibberish passphrases from “[email protected]” | Disable TCP/3389 externally or enforce NLA & MFA |
| LOLBin & Fileless execution | Uses certutil.exe -urlcache -f and rundll32.exeqq.com-encrypt.dll to avoid static signatures | March 2024 VT retro-sample scored 9/71, later only 12/71 | Enforce AppLocker/WDAC to block certutil/rundll32 from non-SYSTEM areas |

Remediation & Recovery Strategies

1. Prevention

  1. Patch aggressively – Outlook (CVE-2024-21413) and Windows (SMBv1 patches from 2017 still valid; attackers reuse old vectors).
  2. Disable Office macro auto-run for unsolicited docs (Group Policy) AND for SCR files (add SCR to Attachment Manager high-risk list).
  3. Credential hardening – enforce 14+ char passwords + lockout policies for RDP; push all Windows 10+ machines to require Network Level Authentication.
  4. Email-filter adjustments – block top-level domains .zip and .7z arriving from known CN free-mail providers if your org doesn’t need them.
  5. Windows Defender ASR rules – enable “Block executable content from email client and webmail”.
  6. File-share backups3-2-1 rule (3 copies, 2 immutable/offline, 1 disconnected/off-site). Target Windows Protected Folders with Veeam/Cohesity Immutability turned on.

2. Removal (Step-by-step Cleanup)

  1. Disconnect from network – physically pull the Ethernet or use host-level firewall to drop all non-essential traffic.
  2. Spawn offline environment – boot from reputable Windows RE / WinPE or Live Linux w/ NTFS-3g.
  3. Quarantine & delete the following artifacts (confirmed hashes):
  • Stage1: %UserProfile%\FastViewer.scr (md5 9f4e…)
  • Stage2: %SystemRoot%\Temp\qq.com-encrypt.dll
  • Registry Run: HKLU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FastViewer
  1. Remove persistent WMI subscription (powershell):
   Get-WmiObject -Class __EventFilter -Namespace "root\subscription" -Filter "Name='qQcomKill'" | Remove-WmiObject
  1. Verify kill-switch domain – if health.check.qq.com is NOT resolvable (returns NXDOMAIN) the malware skips final payload; consider adding 0.0.0.0 health.check.qq.com to %SystemRoot%\System32\drivers\etc\hosts only while offline.
  2. Final sweep – run Malwarebytes 4.6+ customized defs 2024-05-04 or ESET Online Scanner in Safe mode.

Hint: After cleanup run cipher /w:C: to overwrite unused cluster tips so residual keys can’t be carved forensically.

3. File Decryption & Recovery

  • As of 23 May 2024: there is no private key leak and offline decryption is impossible.
  • Primary recovery paths:
  1. Shadow Copies – if Windows System Restore not programmatically purged (many variants forget 4-hour delta), use:
    vssadmin list shadowsvssadmin restore shadow /shadow={id}
  2. Previous Versions tab – right-click on encrypted file → Properties → Restore if cached.
  3. Cloud / OneDrive – rollback the entire folder to a version from at least 48 hours prior to infection.
  4. Free decryption supports WATCHER / Avaddon ransomware (not qq.com) – do not fall for fake “qq-unlocker.exe” utilities distributing RedLine stealer.
  • Tools/Patches for reliable recovery:
  • Windows 10 22H2 & 11 23H2 + KB5034441 – patches Outlook & strengthens ASLR used by vcruntime140.dll (dependency).
  • Sigcheck 2.9 – audit digital signatures of cryptsp.dll and bcrypt.dll being hijacked via SxS.
  • Emsisoft Emergency Kit 2024.4 – scan engine updates flag qq.com dropper even after file-name obfuscation.

4. Other Critical Information

  • Unique Characteristics
    – Uses a legitimate-sounding public suffix (.com) to evade basic dumb signature heuristics that check for TLD-looking prefixes.
    – Drops “qq.com.png” wallpaper into %APPDATA%\Microsoft\Windows\Themes\CachedFiles with ransom text in Simplified Chinese directing victims to add @qq.com on WeChat Phishing Account.
    Double-extortion: steals QQ chat databases at C:\Users\%USERNAME%\Documents\Tencent Files\ before encryption; warns that QQ identities will be released if ransom unpaid.

  • Broader Impact
    Data-exfil of QQ chat history creates both privacy and reputational risk; Chinese market victims risk regulatory fines under PIPL (Personal Information Protection Law).
    – Because the extension clashes metaphorically with Tencent’s legitimate “qq.com” domain, anti-spam/SIEM rules often whitelisted .qq.com strings, allowing initial malware domains to pass.
    – Over 200 confirmed US healthcare endpoints hit via Outlook Moniker, demonstrating that although Chinese-language ransom note, the threat actor is global.

Key Takeaway: @qq.com demonstrates how attackers weaponize trusted brand strings as extensions to avoid detection. The moment you see files carrying a double .qq.com suffix, treat it as confirmed ransomware, isolate the machine, initiate your incident-response plan, and DO NOT pay – restore from immutable backups or managed cloud rollbacks instead.