The initial attack starts with social engineering technique, attackers send the victim a malicious JAR file disguised as an invoice-related file, when the user double-clicks to open the file, then malware will get downloaded from a compromised site.
The JAR files were heavily obfuscated using an open source command-line tool ProGuard that shrinks, optimizes and obfuscates Java code.
Upon execution of malware, a file will be downloaded and saved to %USERPROFILE% if the directory doesn’t exist it creates the directory and stores the file in the encrypted file in the same location.
Along with the two downloaded files, a unique machine ID is generated in another file path. The 7z file contains a
Executed Qealler module contains Python 2.7.12, in case python framework not present in the
The extracted Remittance[.]jar executes a python file main[.]py, which steals the credentials on an infected Windows machine. The scraped information from the C&C server is encrypted and encoded with BASE64 and sent to the command-and-control (C2) server.