Qadars September attacks target 18 UK banks

Sep 22, 2016 14:00 GMT  ·  By

The criminal group behind the Qadars banking trojan has launched v3 of their malware this year, which this month seems to be focused on targeting the clients of 18 banks in the UK, according to a recent report by IBM's X-Force team.

Qadars is one of the lesser known banking trojans, but just as dangerous as its more famous counterparts, such as Dridex, URSnif, Ramnit, Neverquest, Shifu, and others.

The first version of this trojan appeared in 2013 when it mainly targeted countries such as the Netherlands, France, and Italy. Qadars v2 came out in 2015, and by that time, the trojan was busy targeting banks and users in Australia, Canada, the US and the Netherlands.

Qadars v3 launched this year

The Qadars gang launched v3 this spring and, during recent months, has been busy targeting Germany, Poland, the US and the Netherlands, with the recent addition of UK banks in September.

For most of these infections, the Qadars gang relied on exploit kits (EKs) hosted on compromised websites. In its September campaign, crooks leveraged the RIG exploit kit, which is currently rivaling Neutrino and Magnitude for today's most popular EK.

Qadars, which is a bastard banking trojan coded on the leaked source code of the Carberp and Zeus trojans, appears to be the work of a Russian-speaking threat actor. Nevertheless, the trojan looks to be the work of this group alone, with little code borrowed or bought from other sources.

Qadars features rival any of today's top banking trojans

In a changelog written in Russian and posted online in May, crooks described a wealth of changes the trojan suffered since October 2015, when v2 came out.

The trojan appears to be on par with today's top banking trojans. Qadars supports browser process hooking, form grabbing, cookie theft, webinjection attacks, the usage of TOR to exfiltrate stolen data, a DGA algorithm for hiding and connecting to its botnet, and a powerful ATS panel for real-time fraudulent transactions.

Furthermore, Qadars also appears to deploy the Perkele mobile trojan in order to infect the user's device and relay any 2FA messages the user is receiving whenever Qadars attempts a fraudulent operation.

Qadars steals other credentials as well

But the Qadars gang doesn't let infections go to waste. In case the user doesn't use web banking services, the trojan will steal the victim's credentials for other services such as social media sites, online betting platforms, e-commerce shops, and other financial payment services.

Popup screen asking users to update Windows
Popup screen asking users to update Windows

What speaks volumes in regards to the high level of sophistication this trojan has achieved is how the trojan escalates its privileges on infected machines.

The trojan shows a popup on the user's screen, telling them there's a Windows security update available. In reality, when the user agrees to allow the security update to install, the trojan leverages the user's approval click to bypass the Windows User Account Control (UAC) protection system and install a more intrusive module that has better control over the PC.

Not a top 10 threat, but dangerous nevertheless

Current attack volume doesn't place Qadars in the top 10 banking malware threats, but this doesn't mean the trojan is less dangerous.

"It’s possible that Qadars attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees," IBM's Limor Kessem explains, "likely to keep their operation focused and less visible."

Photo Gallery (2 Images)

Qadars v3 launched this spring
Popup screen asking users to update Windows
Open gallery