A PAINFUL QUICKHEAL

Tags

External References

• https://securite360.net/
• https://otx.alienvault.com/

Description

This report analyzes a QUICKHEAL malware sample associated with the Chinese PLA-linked Needleminer group. The 32-bit DLL, protected by VMProtect, targets the telecom sector and was compiled in April 2022. It can steal credentials from Firefox and Internet Explorer browsers. The malware communicates with a C2 server using HTTP and attempts to establish connections via proxy. It employs various obfuscation techniques, including renaming cmd.exe and using a custom API resolver. The attackers' infrastructure, spanning multiple years and campaigns, shows poor operational security but targets diverse sectors and countries, including India, South Korea, and potentially the Middle East.

Date