Java/Kryptik.XF!tr
Analysis
Java/Kryptik.XF!tr is a generic detection for a trojan credential stealer that has come to be known as Qealler. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- The majority of the functionality of this malware are sometimes found in Java classes called Header or Head in package qua.enterprise.reaqtor.reaqtions.standartbootstrap.
- However there are variants which include an extra layer of encryption. This outer layer comprises of JAR file with embedded JavaScript.
- This embedded JavaScript is executed using ScriptEngineManager and decrypts the Header or Head class contained in one of the files found in this malware's JAR archive.
- The file is decrypted using AES.
- Executes Header/Head code by loading the class into memory and instantiating it to run it's main method.
- The Header/Head class contains the majority of the functionality as such:
- Loading additional classes to support its functionality by decrypting (with AES) other files contained in its JAR.
- Downloading and unpacking a password protected 7z archive containing Qazagne a password stealer tool to steal credentials.
- Sending stolen credentials to attacker controlled servers.
- Below is an illustration of some Head class code:
- Figure 1: Head Class after decryption.
- Qazagne is a minified version of the open source tool Lazagne. It is used to retrieve stored passwords from a system.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |