Quixotic

Quixotic is a potent malware that has been used to crypt various ransomware samples, including BlackBasta and CobaltStrike. In May 2023, it was utilized to encrypt a BlackBasta ransomware sample, while in October 2022, it played a significant role in a CobaltStrike sample used in a BlackBasta attack. The malware stores its payload in a data section and employs XOR decryption with a key constructed from multiple strings. It's noteworthy that we began tracking Quixotic and Quartz in May 2022, and first observed Quicksand in March 2023. During 2023, there was a noticeable shift in the malware landscape as the use of SharpDepositorCrypter (SDC)/OMCLoader declined. In contrast, BlackBasta ransomware increasingly employed other crypters, including Quixotic, Quicksand, Dave, and Tron. Qakbot, another harmful software, had been using its own set of crypters, including CryptOne, Quartz, and Quixotic. Intriguingly, similarities were identified between the PE loading code found in Quicksand and the shellcode loaders used by Quartz and Quixotic. The increasing use of Quixotic and its counterparts has raised concerns among cybersecurity professionals. The malware's ability to infiltrate systems unnoticed and cause significant damage or disruption highlights its threat level. Furthermore, the observed trend towards diversifying crypters used by ransomware like BlackBasta suggests an evolving threat landscape, necessitating ongoing vigilance and robust countermeasures.