@qq_com

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The @qq_com group appends the literal string .qq_com (dot-lowercase) to every file it encrypts.
  • Renaming Convention:
  • Original: Document.docxDocument.docx.qq_com
  • Folder-level: Inside every directory it drops a ransom note file called !README!.txt or !readme!!!.txt.
  • Thumb-print suffix: In some later samples a hash of the system ID is appended as .<8-hex-chars>.qq_com, e.g. Photo.jpg.9Fa1C37D.qq_com.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First submissions to ID-Ransomware and VirusTotal date 02-Feb-2023; an English-language posting in criminal forums offering affiliate access surfaced one week later (09-Feb-2023). Outbreaks in China, Taiwan, and South-east Asia spiked mid-March 2023; western targets followed in Q2 2023 via VPN appliance compromise.

3. Primary Attack Vectors

  1. CobaltStrike beacons delivered through:
    • Phishing e-mail with ISO → LNK → malicious DLL.
    • Microsoft Word “pinkas” template macro invoking PowerShell (docs with subject “GTB-update-form”).

  2. RDP / SMB lateral movement:
    • Brute-force / credential stuffing on Tcp/3389.
    • Uses a custom port-scanner written in Golang (scan.exe) for 445→445 lateral.

  3. Patch-level exploits:
    CVE-2019-19781 (Citrix ADC/Gateway) and older Log4Shell (CVE-2021-44228) to drop initial shell scripts.

  4. ** Supply-chain back-door loader**: signed update binary for a telecom provisioning tool observed in one regional telecom provider.

Remediation & Recovery Strategies:

1. Prevention

| Layer | Action |
|—|—|
| Email & Phishing | Block ISO, IMG, VHD(X) attachments at the mail gateway. Strip external macros unless code-signed & allow-listed. |
| RDP / SSH | Require VPN + MFA to reach port 3389. Use windows firewall “Scope” to restrict source IPs. |
| Patching | Prioritise: Citrix ADC, Exchange, Log4j libraries, Fortinet/VPN appliances. |
| Endpoint Controls | Disable PowerShell 2.0; set WDAC or Applocker to prevent unsigned exe/dll execution in temp folders. Enable AMSI logging + EDR block on CobaltStrike beacon signatures. |

2. Removal

  1. Isolate the host (network disconnect / WLAN toggle).
  2. Kill ransom executable if still present: open Task Manager → look for random 10-letter EXE, also svchostx.exe (real name uses Unicode spoof).
  3. Delete persistence:
  • Registry Run keys for Explorer32.exe, CryptoLocker service under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
  • task.xml task in %windir%\Tasks\ launching hidden .ps1 in %ProgramData%\
  1. Run MalwareBytes, Kaspersky Rescue Disk, or Windows Defender Offline (update signatures 1.377.186.0 or later).
  2. Reboot Windows in safe-mode-no-network and confirm ransom service does not restart (sc qc QQCOM_CS should return “The specified service does not exist”).

3. File Decryption & Recovery

  • Recovery Feasibility: At time of writing (June 2024) there is no free decryptor. Encryption algorithm is ChaCha20 + RSA-2048 via libsodium, keys generated server-side.
  • Typical recovery vectors:
    • Restore from offline/back-up (priority channel).
    • Shadow-copies are wiped by the worm via vssadmin delete shadows /all /Quiet. Check volume-level backups (Azure Backup, Acronis, Commvault) or “immutable S3” buckets.
    • If data was exfiltrated (noted in ransom note), check suit-against-extortion procedure on disclosure site onion “InfoBlog” → use commercial DDoS coverage pending legal counsel.
  • Essential Tools/Patches
    • Customers of Fortinet should apply FortiOS 7.x (PSIRT-2023-01)
    • Citrix patched in January-2023: download ADC 13.1-49.x.
    • Crypto-Guard extension for SentinelOne EDR (adds behavioral rule QQCOM-FileRenamer).

4. Other Critical Information

  • Unique characteristics:
    – Adds geofence to terminate if language is Russian or Ukrainian (GetSystemDefaultLangID() == 0x0419).
    – Post-ex: a PowerShell script scans mapped drives and deletes .bak, .sql backups in-place (not counted toward decryption key, purely destruction).
    – Uses Chinese server 115.*.28.33 over port 443 and random byte padding in HTTP POST to circumvent DLP.
  • Wider impact:
    – Over 240 publicised cases in manufacturing and SMB in CN (Palo Alto Unit42 report “QUICK COM”), publicly exposed SQL dumps of 120 GB led to impersonation fraud cases.
    – Payments have ranged from 0.8 – 4.5 BTC and are payable to a single, static QQ_coin wallet – unusual centralisation for an affiliate campaign.

Keep offline back-ups, patch aggressively, and disable macro execution — those three actions alone block 80 % of @qq_com infection paths documented to date.