A new highly obfuscated malware dubbed
The initial attack starts with social engineering technique, attackers send the victim a malicious JAR file disguised as an invoice-related file, when the user double-clicks to open the file, then malware will get downloaded from a compromised site.
Zscaler initially observed the campaign on Jan 21, 2019, and the malware is active for more than 2 weeks.
The JAR files were heavily obfuscated using an open source command-line tool ProGuard that shrinks, optimizes and obfuscates Java code.
Upon execution of malware, a file will be downloaded and saved to %USERPROFILE% if the directory doesn’t exist it creates the directory and stores the file in the encrypted file in the same location.
Along with the two downloaded files, a unique machine ID is generated in another file path. The 7z file contains a
The 7-zip executable is called by the main sample and the downloaded Qealler module is a password-protected file, that opens after applying the password.
Executed Qealler module contains Python 2.7.12, in case python framework not present in the
The extracted Remittance[.]jar executes a python file main[.]py, which steals the credentials on an infected Windows machine. The scraped information from the C&C server is encrypted and encoded with BASE64 and sent to the command-and-control (C2) server.