Java/Kryptik.XF!tr

Analysis

Java/Kryptik.XF!tr is a generic detection for a trojan credential stealer that has come to be known as Qealler. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• The majority of the functionality of this malware are sometimes found in Java classes called Header or Head in package qua.enterprise.reaqtor.reaqtions.standartbootstrap.


• However there are variants which include an extra layer of encryption. This outer layer comprises of JAR file with embedded JavaScript.


• This embedded JavaScript is executed using ScriptEngineManager and decrypts the Header or Head class contained in one of the files found in this malware's JAR archive.
  • The file is decrypted using AES.
  • Executes Header/Head code by loading the class into memory and instantiating it to run it's main method.


• The Header/Head class contains the majority of the functionality as such:
  • Loading additional classes to support its functionality by decrypting (with AES) other files contained in its JAR.
  • Downloading and unpacking a password protected 7z archive containing Qazagne a password stealer tool to steal credentials.
  • Sending stolen credentials to attacker controlled servers.


• Below is an illustration of some Head class code:
  

  Figure 1: Head Class after decryption.

  
  


• Qazagne is a minified version of the open source tool Lazagne. It is used to retrieve stored passwords from a system.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.