Newly emergent BQTLock ransomware-as-a-service which has been associated with alleged pro-Palestinian hacktivist group Liwaa Mohammed's leader ZerodayX has already gained a new variant with more sophisticated attack techniques just weeks after being initially launched in the middle of July, GBHackers News reports.
Aside from featuring improved anti-debugging mechanisms and code obfuscation, the updated BQTLock variant also better circumvents User Access Control and takes over registries, while utilizing WMI for more comprehensive reconnaissance efforts, according to an analysis from K7 Security Labs. Researchers also discovered the new iteration of BQTLock to enable browser data theft, key decryption, and lateral movement, with a hybrid AES-256/RSA-4096 scheme tapped for data encryption. Attackers also proceeded to launch the paid BAQIYAT.osint tool allowing stolen data discovery. While multiple processes, including batch script-based self-deletion and event log deletion, have been conducted to ensure covert operations, BQTLock still had its corrupted samples observed online.
Aside from featuring improved anti-debugging mechanisms and code obfuscation, the updated BQTLock variant also better circumvents User Access Control and takes over registries, while utilizing WMI for more comprehensive reconnaissance efforts, according to an analysis from K7 Security Labs. Researchers also discovered the new iteration of BQTLock to enable browser data theft, key decryption, and lateral movement, with a hybrid AES-256/RSA-4096 scheme tapped for data encryption. Attackers also proceeded to launch the paid BAQIYAT.osint tool allowing stolen data discovery. While multiple processes, including batch script-based self-deletion and event log deletion, have been conducted to ensure covert operations, BQTLock still had its corrupted samples observed online.
