A new highly obfuscated malware dubbed Qealler designed to steal sensitive information from the infected machine. The malware is written in java.
The initial attack starts with social engineering technique, attackers send the victim a malicious JAR file disguised as an invoice-related file, when the user double-clicks to open the file, then malware will get downloaded from a compromised site.
Zscaler initially observed the campaign on Jan 21, 2019, and the malware is active for more than 2 weeks.
The JAR files were heavily obfuscated using an open source command-line tool ProGuard that shrinks, optimizes and obfuscates Java code.
Upon execution of malware, a file will be downloaded and saved to %USERPROFILE% if the directory doesn’t exist it creates the directory and stores the file in the encrypted file in the same location.
%USERPROFILE%\a60fcc00\bda431f8\a90f3bcc\83e7cdf9 (/lib/7z)
%USERPROFILE%\a60fcc00\bda431f8\a90f3bcc\db2bf213 (/lib/qealler)
Along with the two downloaded files, a unique machine ID is generated in another file path. The 7z file contains a repackaged version of 7za[.]exe and additional DLL files.
The 7-zip executable is called by the main sample and the downloaded Qealler module is a password-protected file, that opens after applying the password.
Executed Qealler module contains Python 2.7.12, in case python framework not present in the user system it will install the module and also creates a directory named QaZaqne.
The extracted Remittance[.]jar executes a python file main[.]py, which steals the credentials on an infected Windows machine. The scraped information from the C&C server is encrypted and encoded with BASE64 and sent to the command-and-control (C2) server.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
The U.S. Department of Justice has unsealed a federal indictment against Rustam Rafailevich Gallyamov, 48,…
FortiGuard Labs released an urgent advisory detailing a critical vulnerability, CVE-2025-32756, affecting several Fortinet products,…
A sweeping international crackdown, codenamed Operation RapTor, has dealt a significant blow to the criminal…
On May 22, 2025, Commvault, a leading enterprise data backup provider, issued an urgent advisory…
Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light on…
Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure (OCI)…