Lately, the Zscaler ThreatLabZ workforce got here throughout a brand new kind of malware referred to as Qealler, which is written in Java and designed to silently steal delicate info from an contaminated machine.

Qealler is a extremely obfuscated Java loader that deploys a Python credential harvester.

We first noticed this payload hit Zscaler Cloud Sandbox on Jan 21, 2019, and under is a screenshot of the detonation report.

Fig. 1: Zscaler Cloud Sandbox report

This threat makes use of social engineering techniques to initiate the infection, as the malicious JAR file has to be executed by the user. These malicious JAR files are portrayed as invoice-related files, requiring the user to double-click on the file to open it.

We have been monitoring this campaign for the past two weeks, and the malware has been quite active, spiking this week.

Fig. 2: Hits of Qealler in per week

The malicious JAR file (named Remittance.jar), which we analyzed, was getting downloaded from a compromised web site (hiexsgroup.co[.]uk). It’s closely obfuscated with Proguard Java obfuscator. After deobfuscation and decompilation, we noticed encrypted URLs which are accessible by a key, as proven within the determine under.

Fig. 3: Accessing encrypted URLs

The sample has a “synchronized” file that contains key-value pairs.

Fig. 4: Key-Worth pair of encrypted URLs

On execution, this pattern first creates two file paths in %USERPROFILE% by checksum of hardcoded strings.

Fig. 5: File Path creation

File path 1:

%USERPROFILE%CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)CRC32(“qealler”)CRC32(“lib”)CRC32(“8e65457409fea4b2a183125f1c0f552080edb4cefa516b14698cb8d0abf5bb6dFILE”)

Equivalent to:

%USERPROFILE%a60fcc00bda431f8a90f3bcc83e7cdf9

File Path 2:

%USERPROFILE%CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)CRC32(“qealler”)CRC32(“lib”)CRC32(“0e10ad6938994f2466b192d8f29217ad39155b8a3a082b6412048f4a12126b3bFILE”)

Equivalent to:

%USERPROFILE%a60fcc00bda431f8a90f3bccdb2bf213

If the above two files don’t exist, the malicious file decrypts the URL, downloads these two files, and stores them in the same place.

Fig. 6: Encrypts and drops downloaded module

The worth of LIB_7Z_URL within the synchronized file is “xVQR4PWAw91AhkgaMsQVAVV1igV7HSOV1dqWgFN23eQtkNRd23RzTnPVGB9/iVYA” which is decoded by BASE64 and decrypted by AES-EBC with the hardcoded key “bbb6fec5ebef0d93”.

The ultimate URL after decryption is hxxp://82.196.11[.]96:55326/lib/7z

The worth of LIB_QEALLER_URL within the synchronized file is “xVQR4PWAw91AhkgaMsQVAaWhGxVQIpMxX60ZE+OpV3KjNnWvOARi0rccZaVSvle8”, it is usually decrypted by the identical algorithm with the identical key.

The ultimate URL is hxxp://82.196.11[.]96:54869/lib/qealler

The pattern downloads the information from these URLs and encrypts it utilizing the AES algorithm with the important thing generated by SecureRandom() having hardcoded seed worth “2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”.

AES key: 39 3e df 7e fc 58 be 20 60 e4 78 bb 4a 91 38 72

After encryption, it shops each recordsdata on the under areas to keep away from additional downloading within the subsequent run:

%USERPROFILEpercenta60fcc00bda431f8a90f3bcc83e7cdf9 (/lib/7z)

%USERPROFILEpercenta60fcc00bda431f8a90f3bccdb2bf213 (/lib/qealler)

Fig. 7: Created path and dropped files

Along with these two files, the virus creates another file path with the following algorithm and stores an encrypted unique machine ID in it. The ID is generated by a random number of system nanoTime.

Machine ID path:

%USERPROFILE%CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)CRC32(“qealler”)CRC32(“machine”)CRC32(“id”)CRC32(“d”)CRC32(“q”)

Equivalent to:

%USERPROFILE%a60fcc00bda431f81505df84bf39675098dd4acc99de3ada

After the downloading and decryption steps are completed, the sample stores a decrypted copy of 83e7cdf9 and db2bf213 in the %TEMP% directory with the name “_<SystemNanoTime>.tmp”.

 _502560701855008616300501457487639.tmp

_502562165489004300569223733573535.tmp

_502560701855008616300501457487639.tmp (/lib/7z) is again a JAR file that doesn’t have any Java code inside, but contains three PE files inside the libraries as shown in Fig 8.

Fig. 8: Content material of _502560701855008616300501457487639.tmp (/lib/7z)

7za.exe is a repackaged model of 7-zip to make sure the malware executes efficiently even when the person doesn’t have it put in by default.

The 7-zip (7za.exe) and its modules (7za.dll, 7zxa.dll) will likely be extracted from 7z.jar by the principle pattern and saved within the %TEMP% listing with the identify “7z_<SystemNanoTime>.exe” and “7z_<SystemNanoTime>.dll”.

7z_502574395484008643130462441900754.exe

7z_502567545558005642490654395727502.dll

7z_502579570140002751296504101539829.dll

After extraction, the 7-zip executable is known as by the principle pattern with the next command-line choices:

 %TEMPpercent7z_502574395484008643130462441900754.exe x %TEMPpercent_502562165489004300569223733573535.tmp -opercentTEMP% -p”bbb6fec5ebef0d936db0b031b7ab19b6” -mmt -aoa -y

The downloaded Qealler module _502562165489004300569223733573535.tmp (/lib/qealler) is a password-protected file with 7-zip.

The above command will extract the Qealler module within the %TEMP% listing with the password: bbb6fec5ebef0d936db0b031b7ab19b6

-mmt: use multithreading mode

-aoa: set overwrite mode

-y: assume sure for all of the prompts

The Qealler module is the important thing part of this malware.

The extracted Qealler module comprises Python 2.7.12 with the put in packages to make sure the malware will execute even when the person doesn’t have it put in by default.

The Qealler additionally has a listing named QaZaqne. It’s a customized model of the open supply challenge referred to as LaZagne. LaZagne is used to retrieve a number of passwords saved on an area pc. This is identical performance of QaZagne, which finds and steals credentials of probably the most generally used software program from native machines.

Fig. 9: Content of extracted _502562165489004300569223733573535.tmp (/lib/qealler)

After extraction, the main sample (Remittance.jar) executes a Python file of QaZagne (main.py) with the following option and takes the JSON output:

%TEMP%qeallerpythonpython.exe %TEMP%qeallerqazaqnemain.py all

Fig. 10: Stealer capabilities in QaZaqne module

This may get the credentials of all of the software program proven within the determine under:

Fig. 11: Qealler steals credentials of the software in this table

The output of the QaZagne on an infected Windows machine is shown in Fig 12. It is in JSON format and contains the credentials of CoreFTP and a Windows credential manager. It always starts with #fs# and ends with #ff#.

Fig. 12: JSON output of QaZaqne module

The principle pattern parses this output, fetches under system info, and encrypts it utilizing an AES-EBC algorithm with key “bbb6fec5ebef0d93”.

Fig. 13: Fetch and encrypt system info

The final information scraped from the infected machine before encryption is shown below.

Fig. 14: Scrapped information from an contaminated machine

Right here, machine_id is a singular ID generated by system nanoTime and uuid is encrypted in a synchronized file.

This output is encrypted and encoded with BASE64 and despatched to the command-and-control (C2) server, whose URL is an encrypted worth of the important thing “d7c363a2019dac744cf076e11433547a47907e2c2f781e2d1c8f59a40c57dd03” in a synchronized file.

C2 URL: hxxp://82.196.11[.]96:56636/qealler-reloaded/ping

Fig. 15: Data sent to C2

In the post headers, q-qealler-id is the encrypted machine ID and q-qealler-stub-id is the encrypted hash of the machine ID and system time.

The request body contains encrypted and encoded system information and stolen credentials.

If the C2 server is active and data is successfully sent to the server, it will respond with the encrypted status, which looks like the following after decryption:

 {“standing”:”2000″,”message”:”success”,”prolonged”:[],”time”:1548096059}

IOCs:

hiexsgroup.co[.]uk/?_sm_nck=1

lcbodywowrksltd[.]online

willsonsolicitors[.]biz

willsonsolicitors[.]online

willsonsolicitors[.]store

mcneilspecs[.]com

mcneilspecs[.]org

mcneilspecs[.]net

prestigebuildersltd[.]com

prestigebuildersltd[.]net

larrgroup.co[.]uk/remittance%20advice.jar

prestonbuildersltd.co[.]uk/remittance%20advice.jar

otorgroup.co[.]uk/remittance%20advice.jar

ultrogroup.co[.]uk/remittance%20advice.jar

stgeorgebuildltd.co[.]uk/remittance%20advice.jar

gregoryteebuilders.co[.]uk/remittance%20advice.jar

txjxgroup.co[.]uk/remittance.jar

kingagroup.co[.]uk/remittance%20advice.jar

hiexgroup.co[.]uk/remittance%20advice.jar

salmogroup.co[.]uk/remittance%20advice.jar

4f77bf588e0b721e68971059b0cefe21 (Remittance Advice.jar)

b0ba5d6fdd26d81a6a2f050600ade3f0 (Remittance Advice.jar)

d742beba17f7893b2b4989661652a66f (Remittance Advice.jar)

61ecd8f17d405fa1c29dd78008011250 (Remittance Advice.jar)

ccac2b99cb4b72bc7728a8fc42ccc4ad (Remittance Advice.jar)

76e87575e76b2ea28e1bb49e4c280152 (Remittance Advice.jar)

7854ccf3208f805da7ec19a067ae3abe (Remittance Advice.jar)

ca741116466d5ddbcb76df00748bb885 (Remittance Advice.jar)

9b7ebeff190cef02a7c22072d3d26ab3 (Remittance Advice.jar)

639865eb7fac1b405b223cb4b7fe9ada ({E60A953D}-Remittance Advice.jar)

e6fdc2140f6047fad60720cdf2157f9c (Remittance.jar)

aae120bf74131d04e47d99b16af41120 (Remittance.jar)

3d43a83b1c8877e782ff69650ec00449 (Remittance.jar)

4d433929f175c6df366aed139bf34f85 (Remittance.jar)

2ed3b8cdc87a11437f5a15302ce047d6 (Remittance.jar)

8e0f4cb12c6f2fef3a8ff731c195843d (Remittance.jar)

fc20f0068b71cc74e9061a0ea2b5d45a (Cred_Adv043H3272.jar)

791217f372c347f53003ae8a26a2fe54 (Cred_Adv043H3272.jar)

a593cb286e0fca1ca62e690022c6d918 (7z.jar)

8d2c718599ed0aff7ab911e3f1966e8c (qealler.jar)

5a8915c3ee5307df770abdc109e35083 (main.py)

82.196.11[.]96:54869/lib/qealler

82.196.11[.]96:443/lib/qealler

128.199.60[.]13:443/lib/qealler

37.139.12.136:443/lib/qealler

192.81.222[.]28:41210/lib/qealler

37.139.12[.]169:23980/lib/qealler

37.139.12[.]169:16901/lib/qealler

176.58.117[.]125:8676/lib/qealler

176.58.117[.]125:8796/lib/qealler

146.185.139[.]123:6521/lib/qealler

159.65.84[.]42:10846/lib/qealler

159.65.84[.]42:12536/lib/qealler

139.59.76[.]44:4000/lib/qealler

128.199.60[.]13:47222/lib/7z

128.199.60[.]13:443/lib/7z

128.199.60[.]13:46061/lib/7z

82.196.11[.]96:54869/lib/7z

82.196.11[.]96:443/lib/7z

37.139.12[.]136:443/lib/7z

192.81.222[.]28:39871/lib/7z

176.58.117[.]125:8650/lib/7z

176.58.117[.]125:8796/lib/7z

159.65.84[.]42:11268/lib/7z

82.196.11[.]96:56636/qealler-reloaded/ping

37.139.12[.]136:36561/qealler-reloaded/ping

128.199.60[.]13:56636/qealler-reloaded/ping

192.81.222[.]28:46871/qealler-reloaded/ping

176.58.117[.]125:5797/qealler-reloaded/ping