A new highly obfuscated malware dubbed
The initial attack starts with social engineering technique, attackers send the victim a malicious JAR file disguised as an invoice-related file, when the user double-clicks to open the file, then malware will get downloaded from a compromised site.
Zscaler initially observed the campaign on Jan 21, 2019, and the malware is active for more than 2 weeks.
The JAR files were heavily obfuscated using an open source command-line tool ProGuard that shrinks, optimizes and obfuscates Java code.
Upon execution of malware, a file will be downloaded and saved to %USERPROFILE% if the directory doesn’t exist it creates the directory and stores the file in the encrypted file in the same location.
%USERPROFILE%a60fcc00bda431f8a90f3bcc83e7cdf9 (/lib/7z)
%USERPROFILE%a60fcc00bda431f8a90f3bccdb2bf213 (/lib/qealler)
Along with the two downloaded files, a unique machine ID is generated in another file path. The 7z file contains a
The 7-zip executable is called by the main sample and the downloaded Qealler module is a password-protected file, that opens after applying the password.
Executed Qealler module contains Python 2.7.12, in case python framework not present in the