Tuesday, May 20, 2025
HomeRansomwareqkG Filecoder Ransmowmare Rapidly Spreading with Self-Replicating and Document-Encrypting Capabilities

qkG Filecoder Ransmowmare Rapidly Spreading with Self-Replicating and Document-Encrypting Capabilities

Published on

SIEM as a Service

Follow Us on Google News

A new File Encoder Ransomware discovered with new stealthy capabilities that have implemented in VBA macros called qkG Filecoder that are entirely related to blank Word documents  Based.

qkG Filecoder is the First Ransomware that capable of self Self-Replicating capabilities from one file to another, and unlike other ransomware families, its uses malicious macro code to downloading the ransomware.

The malicious macro code is one of the techniques that is used by a .lukitus variant of Locky ransomware which is capable of auto close VBA Script.

- Advertisement - Google News

qkG capable of encrypting the document content but it won’t damage the file structure, and it will not change the file name as well.

It affects only an ActiveDocument which means that will just Encrypt the opened documents and no ransom notes will be added to the system.

According to macro malware body, The qkG was named by its developer, and these samples were added by to VirusTotal from Vietnam.

Also Read: Necurs Spam Botnet Back in Business Spreading Scarab Ransomware

How does qkG Filecoder infection chain work

Once Victims enables the macros, the normal.dot template will be modified and get infected with malicious macros.

Whenever victims will open the word, Malicious normal.dot template will be loaded and executed into the memory.

qKG will not perform any task whenever the user opens the uninfected document. Later, it will encrypt the file content once a user tries to close the particular opened document.

Next stage it will display the message with an email and Bitcoin address, along with the encrypted content.

qkG Filecoder

qkG Filecoder uses the Document_Open() autostart macro to repeat the encryption process in the clean machine.

qkG Filecoder using  XOR cipher encryption and same encryption key used in each and every encrypted documents.

According to Trend Micro, Suppose we create a document containing the text “1234567890”. After closing the document on an infected machine, the odd characters get XORed with a corresponding character in the hardcoded password “I’m QkG@PTM17! by TNA@MHT-TT2”, while each even character is left intact. The resulting encrypted document containing text “1234567890” is in the screenshot above.

“One of the tested samples contains a decryption routine.it’s not used within the malware body and accordingly doesn’t work. This malware can also be construed as malware still in development.”

qkG Filecoder

Also, Researchers found a bitcoin address that is used along with this variant. But it seems no transaction has been performed.

While not particularly pervasive regarding impact, qkG’s unique use of malicious macros is still notable. And like other ransomware families, we expect this technique to be rehashed, broadened, and repurposed for other cyber attacks.

Disabling macros significantly reduces the risk of macro-based malware such as qkG. Trend Micro said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...

RedisRaider Campaign Targets Linux Servers by Exploiting Misconfigured Redis Instances

Datadog Security Research has uncovered a formidable new cryptojacking campaign dubbed "RedisRaider," specifically targeting...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Researchers Replicate Advanced Tactics and Tools of VanHelsing Ransomware

Cybersecurity researchers at AttackIQ have meticulously emulated the intricate tactics, techniques, and procedures (TTPs)...

TransferLoader Malware Enables Attackers to Execute Arbitrary Commands on Infected Systems

A formidable new malware loader, dubbed TransferLoader, has emerged as a significant cybersecurity threat,...