Hot on the heels of the Ramnit Trojan delivery campaign targeting customers of six UK banks comes one delivering the Qadars Trojan. The targets, again, are customers of UK banks – 18 of them this time.
Qadars is not a new threat. It dates back to 2013, but it’s constantly updated and the group behind it has been switching targets pretty regularly, hitting European users first, then Northern American and Australian users next, and so on.
“Qadars has been able to use advanced banking malware tactics ever since its early days, with capabilities such as hooking the internet browser to monitor and manipulate user activity; fetching webinjections in real time from a remote server; supplementing fraud scenarios with an SMS hijacking app; and orchestrating the full scope of fraudulent data theft and transaction operation through an automated transfer system (ATS) panel,” IBM researchers note.
“To steal two-factor authentication (2FA) codes from a user whose bank requires an out-of-band element, Qadars’ operators deployed the Perkele (iBanking) mobile bot as the malicious mobile component. In this case, Qadars even added the theft of codes from mobile devices to the ATS transaction orchestration flow.”
Qadars also does not discriminate: it will go after login credentials for social networks, e-commerce platforms, payments and card services, and so on. It’s also capable of remote-controlling the infected computer via virtual network computing (VNC).
To do everything it’s capable of doing, it has to acquire admin rights on the target computer. It does so via social engineering: it displays a fake message prompting the user to download a new Windows security update.
“Once the user clicks the fake update notice window, the malware’s dropper runs itself again using the ShellExecuteEx Win32 API. This time, however, the system displays a UAC dialog to the user,” the researchers explained.
“The malware doesn’t give the user an option to cancel or close the fake update window. Basically, users will encounter the UAC prompt again and again until they approve it, at which point the malware is launched again, this time with a new, higher privilege level.”
Qadars is usually delivered via botnets (downloader malware) and exploit kits, but it has never reached the attack volumes of more popular banking Trojans. The researchers believe that’s intentional, and that its operators hope law enforcement will go after bigger threats instead.
Update notes for this latest version indicate that author is likely Russian, and that the malware is constantly updated.
“The release notes indicated that Qadars is an advanced online banking Trojan that comes from a single source. Its source programs all operational components and does not buy injection kits from outsourced developers,” the researchers concluded, but added that its creator did borrow code from the Zeus and Carberp Trojans.
Aside form UK targets, Qadars is also currently targeting users in Germany, Brazil, and the US.