SBN

Qealler – a new JAR-based information stealer

Recently, the Zscaler ThreatLabZ team came across a new type of malware called Qealler, which is written in Java and designed to silently steal sensitive information from an infected machine. Qealler is a highly obfuscated Java loader that deploys a Python credential harvester. We first saw this payload hit Zscaler Cloud Sandbox on Jan 21, 2019, and below is a screenshot of the detonation report. Fig. 1: Zscaler Cloud Sandbox report This threat makes use of social engineering techniques to initiate the infection, as the malicious JAR file has to be executed by the user. These malicious JAR files are portrayed as invoice-related files, requiring the user to double-click on the file to open it. We have been monitoring this campaign for the past two weeks, and the malware has been quite active, spiking this week. Fig. 2: Hits of Qealler in a week The malicious JAR file (named Remittance.jar), which we analyzed, was getting downloaded from a compromised site (hiexsgroup.co[.]uk). It is heavily obfuscated with Proguard Java obfuscator. After deobfuscation and decompilation, we saw encrypted URLs that are accessible by a key, as shown in the figure below. Fig. 3: Accessing encrypted URLs The sample has a “synchronized” file that contains key-value pairs. Fig. 4: Key-Value pair of encrypted URLs On execution, this sample first creates two file paths in %USERPROFILE% by checksum of hardcoded strings. Fig. 5: File Path creation File path 1: %USERPROFILE%\\CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)\\CRC32(“qealler”)\\CRC32(“lib”)\\CRC32(“8e65457409fea4b2a183125f1c0f552080edb4cefa516b14698cb8d0abf5bb6dFILE”) Equivalent to: %USERPROFILE%\\a60fcc00\\bda431f8\\a90f3bcc\\83e7cdf9 File Path 2: %USERPROFILE%\\CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)\\CRC32(“qealler”)\\CRC32(“lib”)\\CRC32(“0e10ad6938994f2466b192d8f29217ad39155b8a3a082b6412048f4a12126b3bFILE”) Equivalent to: %USERPROFILE%\\a60fcc00\\bda431f8\\a90f3bcc\\db2bf213 If the above two files don’t exist, the malicious file decrypts the URL, downloads these two files, and stores them in the same place. Fig. 6: Encrypts and drops downloaded module The value of LIB_7Z_URL in the synchronized file is “xVQR4PWAw91AhkgaMsQVAVV1igV7HSOV1dqWgFN23eQtkNRd23RzTnPVGB9/iVYA” which is decoded by BASE64 and decrypted by AES-EBC with the hardcoded key “bbb6fec5ebef0d93”. The final URL after decryption is hxxp://82.196.11[.]96:55326/lib/7z The value of LIB_QEALLER_URL in the synchronized file is “xVQR4PWAw91AhkgaMsQVAaWhGxVQIpMxX60ZE+OpV3KjNnWvOARi0rccZaVSvle8”, it is also decrypted by the same algorithm with the same key. The final URL is hxxp://82.196.11[.]96:54869/lib/qealler The sample downloads the data from these URLs and encrypts it using the AES algorithm with the key generated by SecureRandom() having hardcoded seed value “2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”. AES key: 39 3e df 7e fc 58 be 20 60 e4 78 bb 4a 91 38 72 After encryption, it stores both files at the below locations to avoid further downloading in the next run: %USERPROFILE%\\a60fcc00\\bda431f8\\a90f3bcc\\83e7cdf9 (/lib/7z) %USERPROFILE%\\a60fcc00\\bda431f8\\a90f3bcc\\db2bf213 (/lib/qealler) Fig. 7: Created path and dropped files Along with these two files, the virus creates another file path with the following algorithm and stores an encrypted unique machine ID in it. The ID is generated by a random number of system nanoTime. Machine ID path: %USERPROFILE%\\CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)\\CRC32(“qealler”)\\CRC32(“machine”)\\CRC32(“id”)\\CRC32(“d”)\\CRC32(“q”) Equivalent to: %USERPROFILE%\\a60fcc00\\bda431f8\\1505df84\\bf396750\\98dd4acc\\99de3ada After the downloading and decryption steps are completed, the sample stores a decrypted copy of 83e7cdf9 and db2bf213 in the %TEMP% directory with the name “_.tmp”.  _502560701855008616300501457487639.tmp _502562165489004300569223733573535.tmp _502560701855008616300501457487639.tmp (/lib/7z) is again a JAR file that doesn’t have any Java code inside, but contains three PE files inside the libraries as shown in Fig 8. Fig. 8: Content of _502560701855008616300501457487639.tmp (/lib/7z) 7za.exe is a repackaged version of 7-zip to ensure the malware executes successfully even if the user does not have it installed by default. The 7-zip (7za.exe) and its modules (7za.dll, 7zxa.dll) will be extracted from 7z.jar by the main sample and saved in the %TEMP% directory with the name “7z_.exe” and “7z_.dll”. 7z_502574395484008643130462441900754.exe 7z_502567545558005642490654395727502.dll 7z_502579570140002751296504101539829.dll After extraction, the 7-zip executable is called by the main sample with the following command-line options:  %TEMP%\\7z_502574395484008643130462441900754.exe x %TEMP%\\_502562165489004300569223733573535.tmp -o%TEMP% -p”bbb6fec5ebef0d936db0b031b7ab19b6” -mmt -aoa -y The downloaded Qealler module _502562165489004300569223733573535.tmp (/lib/qealler) is a password-protected file with 7-zip. The above command will extract the Qealler module in the %TEMP% directory with the password: bbb6fec5ebef0d936db0b031b7ab19b6 -mmt: use multithreading mode -aoa: set overwrite mode -y: assume yes for all the prompts The Qealler module is the key component of this malware. The extracted Qealler module contains Python 2.7.12 with the installed packages to ensure the malware will execute even if the user does not have it installed by default. The Qealler also has a directory named QaZaqne. It is a custom version of the open source project called LaZagne. LaZagne is used to retrieve lots of passwords stored on a local computer. This is the same functionality of QaZagne, which finds and steals credentials of the most commonly used software from local machines. Fig. 9: Content of extracted _502562165489004300569223733573535.tmp (/lib/qealler) After extraction, the main sample (Remittance.jar) executes a Python file of QaZagne (main.py) with the following option and takes the JSON output: %TEMP%\\qealler\\python\\python.exe %TEMP%\qealler\qazaqne\main.py all Fig. 10: Stealer functions in QaZaqne module This will get the credentials of all the software shown in the figure below: Fig. 11: Qealler steals credentials of the software in this table The output of the QaZagne on an infected Windows machine is shown in Fig 12. It is in JSON format and contains the credentials of CoreFTP and a Windows credential manager. It always starts with #fs# and ends with #ff#. Fig. 12: JSON output of QaZaqne module The main sample parses this output, fetches below system information, and encrypts it using an AES-EBC algorithm with key “bbb6fec5ebef0d93”. Fig. 13: Fetch and encrypt system info The final information scraped from the infected machine before encryption is shown below. Fig. 14: Scrapped data from an infected machine Here, machine_id is a unique ID generated by system nanoTime and uuid is encrypted in a synchronized file. This output is encrypted and encoded with BASE64 and sent to the command-and-control (C2) server, whose URL is an encrypted value of the key “d7c363a2019dac744cf076e11433547a47907e2c2f781e2d1c8f59a40c57dd03” in a synchronized file. C2 URL: hxxp://82.196.11[.]96:56636/qealler-reloaded/ping Fig. 15: Data sent to C2 In the post headers, q-qealler-id is the encrypted machine ID and q-qealler-stub-id is the encrypted hash of the machine ID and system time. The request body contains encrypted and encoded system information and stolen credentials. If the C2 server is active and data is successfully sent to the server, it will respond with the encrypted status, which looks like the following after decryption:  {“status”:”2000″,”message”:”success”,”extended”:[],”time”:1548096059}   IOCs: hiexsgroup.co[.]uk/?_sm_nck=1 lcbodywowrksltd[.]online willsonsolicitors[.]biz willsonsolicitors[.]online willsonsolicitors[.]store mcneilspecs[.]com mcneilspecs[.]org mcneilspecs[.]net prestigebuildersltd[.]com prestigebuildersltd[.]net larrgroup.co[.]uk/remittance%20advice.jar prestonbuildersltd.co[.]uk/remittance%20advice.jar otorgroup.co[.]uk/remittance%20advice.jar ultrogroup.co[.]uk/remittance%20advice.jar stgeorgebuildltd.co[.]uk/remittance%20advice.jar gregoryteebuilders.co[.]uk/remittance%20advice.jar txjxgroup.co[.]uk/remittance.jar kingagroup.co[.]uk/remittance%20advice.jar hiexgroup.co[.]uk/remittance%20advice.jar salmogroup.co[.]uk/remittance%20advice.jar   4f77bf588e0b721e68971059b0cefe21 (Remittance Advice.jar) b0ba5d6fdd26d81a6a2f050600ade3f0 (Remittance Advice.jar) d742beba17f7893b2b4989661652a66f (Remittance Advice.jar) 61ecd8f17d405fa1c29dd78008011250 (Remittance Advice.jar) ccac2b99cb4b72bc7728a8fc42ccc4ad (Remittance Advice.jar) 76e87575e76b2ea28e1bb49e4c280152 (Remittance Advice.jar) 7854ccf3208f805da7ec19a067ae3abe (Remittance Advice.jar) ca741116466d5ddbcb76df00748bb885 (Remittance Advice.jar) 9b7ebeff190cef02a7c22072d3d26ab3 (Remittance Advice.jar) 639865eb7fac1b405b223cb4b7fe9ada ({E60A953D}-Remittance Advice.jar) e6fdc2140f6047fad60720cdf2157f9c (Remittance.jar) aae120bf74131d04e47d99b16af41120 (Remittance.jar) 3d43a83b1c8877e782ff69650ec00449 (Remittance.jar) 4d433929f175c6df366aed139bf34f85 (Remittance.jar) 2ed3b8cdc87a11437f5a15302ce047d6 (Remittance.jar) 8e0f4cb12c6f2fef3a8ff731c195843d (Remittance.jar) fc20f0068b71cc74e9061a0ea2b5d45a (Cred_Adv043H3272.jar) 791217f372c347f53003ae8a26a2fe54 (Cred_Adv043H3272.jar) a593cb286e0fca1ca62e690022c6d918 (7z.jar) 8d2c718599ed0aff7ab911e3f1966e8c (qealler.jar) 5a8915c3ee5307df770abdc109e35083 (main.py)   82.196.11[.]96:54869/lib/qealler 82.196.11[.]96:443/lib/qealler 128.199.60[.]13:443/lib/qealler 37.139.12.136:443/lib/qealler 192.81.222[.]28:41210/lib/qealler 37.139.12[.]169:23980/lib/qealler 37.139.12[.]169:16901/lib/qealler 176.58.117[.]125:8676/lib/qealler 176.58.117[.]125:8796/lib/qealler 146.185.139[.]123:6521/lib/qealler 159.65.84[.]42:10846/lib/qealler 159.65.84[.]42:12536/lib/qealler 139.59.76[.]44:4000/lib/qealler   128.199.60[.]13:47222/lib/7z 128.199.60[.]13:443/lib/7z 128.199.60[.]13:46061/lib/7z 82.196.11[.]96:54869/lib/7z 82.196.11[.]96:443/lib/7z 37.139.12[.]136:443/lib/7z 192.81.222[.]28:39871/lib/7z 176.58.117[.]125:8650/lib/7z 176.58.117[.]125:8796/lib/7z 159.65.84[.]42:11268/lib/7z   82.196.11[.]96:56636/qealler-reloaded/ping 37.139.12[.]136:36561/qealler-reloaded/ping 128.199.60[.]13:56636/qealler-reloaded/ping 192.81.222[.]28:46871/qealler-reloaded/ping 176.58.117[.]125:5797/qealler-reloaded/ping    


*** This is a Security Bloggers Network syndicated blog from Research Blog authored by [email protected]. Read the original post at: https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer