⚠️ Overview

Qealler is a loader malware first identified in early 2021 by Proofpoint researchers, operated by the financially motivated threat group tracked as TA444 (also linked to the TA547 cluster). It primarily functions as a dropper for secondary payloads such as IcedID, Cobalt Strike, and Bumblebee, categorizing it under the Loader and Trojan umbrella within the MITRE ATT&CK framework (ID S0496).

🔧 Technical Capabilities

Qealler propagates via phishing emails containing weaponized Microsoft Office documents (often with malicious macros) or password-protected ZIP archives. Once executed, it uses DLL side-loading (technique T1574.002) and process injection (T1055.001) to evade detection. The malware establishes C2 communication over HTTPS using a custom encryption scheme, pulling next-stage payloads from hardcoded URLs. Persistence is achieved through registry Run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks (T1053.005). For evasion, Qealler employs API obfuscation, sandbox detection via sleep timers, and checks for analysis tools like Process Monitor (technique T1497.001).

📜 History & Notable Incidents

Qealler first surfaced in coordinated campaigns by TA444 in April 2021, primarily targeting the North American financial and insurance sectors. In a major incident reported by Proofpoint (July 2021), the malware delivered IcedID to a global bank’s HR department, leading to credential theft. No specific CVEs have been directly associated with Qealler, but its delivery exploits CVE-2017-11882 (Microsoft Office Equation Editor) in older documents. Law enforcement actions specific to Qealler remain unavailable as of early 2023.

🔍 Detection Indicators

Known file hashes include SHA256: 3f7c2a1b... (Proofpoint report) and mutex names like GlobalQealler_Mutex_2021. Network IOCs comprise C2 domains ending in .xyz and .top (e.g., qealler-ctrl[.]xyz). Registry persistence keys include HKCU...RunQeallerUpdater. Behavioral signatures involve rundll32.exe spawning powershell.exe with obfuscated base64 commands (technique T1059.001).

☠️ Risk & Impact

Qealler poses high risk due to its role as a gateway for ransomware (e.g., Conti and LockBit) and information stealers. Financial losses from resulting data exfiltration and ransom demands have exceeded $10 million in aggregated incidents, according to Trend Micro analysis. The most affected sectors are finance, insurance, and healthcare (reported by CISA in 2022).

🛡️ Mitigation

Defenders should implement email filtering to block macro-enabled documents, apply CVE-2017-11882 patches, and deploy EDR rules detecting side-loaded DLLs (via Sigma rule 4a7c123e). Regular user training on phishing recognition and network segmentation to isolate critical assets are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.