Yoroi-Cybaze Zlab: The Qrypter malware, a MaaS usually launched in combination with AdWind/jRAT, is evolving. A targeted campaign in Italy reveals a new version, capable to be invisible for several antivirus engines
Qrypter malware is evolving. It has been confirmed by Yoroi-Cybaze ZLab cyber security experts, who analyzed some malicious emails, sent to a very few organizations and with the contents specifically tailored for Italian speaking targets. the malicious code is a Malware-as-a-Service (MaaS), especially popular for its usage in combination with AdWind/jRAT. However, the new sample seems to exhibit different protection techniques with respect to the previously documented ones. Most files are encrypted and only one of them represents an runnable Java Class. It contains a Java Main, responsible for decrypting and launching the actual payload. Reversing this class, the Qrypter capabilities emerge. Even if the final payload is a well-known, the crypter made it invisible for several antivirus engines. Moreover, this version seems different than the older ones: the intensive use of reflection techniques and the state-machine approach have never been seen.
How the malicious code works
According to Yoroi’s ZLab, the Qrypter decryption routine takes advantage of Java reflection to make the analysis harder. Every single object used by the malware is loaded at runtime, where the malicious code assigns the object System.out to a local variable. The “main” static method, it’s initial entry point, is composed by few code lines setting up the right initial parameters for the actual decryption routine. Moreover, it implements a finite state machine (FSA), using the switch approach, a classical formal computational method commonly adopted by Information Engineers and Computer Scientists. The initial state is set to “24”. The switch instruction repeatedly checks the value of the “currentState” variable, indicating the last machine’ state, and then it jumps in the right case statement depending on its value. Each “case” contains a decryption routine step and an instruction used to move from the current to the next state. Using different reflection layers, the malware tries to load the class “qua.qrypter.Runner”, whose name is contained into the local variable; this is the point where the class launches the exception due to the missing class.
The cyber security experts uncovered the details of the payload protection mechanism, analyzing statically the decryption routine
Statically analyzing the decryption routine, it was possible to reconstruct Qrypter behavior uncovering the details of the payload protection mechanism, enabling the cyber security experts to write a custom decipher to extract the next stage of the sample. Inspecting the code, they noticed the encryption key is stored in a particular variable among the huge number of reflective invocations. With this information, they decrypted all the protected files contained into the initial JAR archive, mimicking the Qrypter behaviour. Moreover, one of the decrypted files is a serialized “LinkedHashMap” object filled with a series of key-value entries representing the mapping between original file names and the fake/encrypted names. This object is fundamental to reconstruct the actual payload structure. In fact, inspecting the hashmap’s entries, many class names emerge. Their names confirm the presence of AdWind/jRAT malware as final payload.