Qealler – Heavily Obfuscated JAR-based Password Stealer Malware Delivered Through Invoice-related Files

A new highly obfuscated malware dubbed Qealler designed to steal sensitive information from the infected machine. The malware is written in java.

The initial attack starts with social engineering technique, attackers send the victim a malicious JAR file disguised as an invoice-related file, when the user double-clicks to open the file, then malware will get downloaded from a compromised site.

Zscaler initially observed the campaign on Jan 21, 2019, and the malware is active for more than 2 weeks.

The JAR files were heavily obfuscated using an open source command-line tool ProGuard that shrinks, optimizes and obfuscates Java code.

Upon execution of malware, a file will be downloaded and saved to %USERPROFILE% if the directory doesn’t exist it creates the directory and stores the file in the encrypted file in the same location.

%USERPROFILE%a60fcc00bda431f8a90f3bcc83e7cdf9 (/lib/7z)

%USERPROFILE%a60fcc00bda431f8a90f3bccdb2bf213 (/lib/qealler)

Along with the two downloaded files, a unique machine ID is generated in another file path. The 7z file contains a repackaged version of 7za[.]exe and additional DLL files.

The 7-zip executable is called by the main sample and the downloaded Qealler module is a password-protected file, that opens after applying the password.

Executed Qealler module contains Python 2.7.12, in case python framework not present in the user system it will install the module and also creates a directory named QaZaqne.