Qadars - a new banking Trojan with the ability to bypass two-factor authentication
We recently discovered a new banking malware that was added to our databases as Win32 / Qadars . The first public coverage of this threat was made by LEXSI. Qadars has been quite active lately, infecting users around the world. Like other banking malware, it steals online banking data and user funds through a web injection mechanism. Our researchers have found that Qadars uses a wide range of such web injections for various tasks of working with an online banking system.
Earlier we wrote about the banking trojan Hesperbot , which contains a special component for mobile platforms. This component allows you to bypass the two-factor authentication mechanism based on the confirmation codes of the mTAN banking operation. Qadars uses an approach similar to Hesperbot to install a mobile component via a web injection on a special message online banking page. The difference between the two is that Qadars uses the existing Android / Perkele mobile malware code, and does not rely on its own.
')
Usually for banking Trojans, the rule is either they are focused on a large number of financial institutions and banks, or attackers focus on certain banks by geography, that is, by their actual location. Win32 / Qadars belongs to the second category, attackers target it to users of a particular region or regions, and also use web-injection configuration files linked to the banks that are most in demand in this region. Below are the six main countries that have suffered from Qadars activities.
- Holland
- France
- Canada
- India
- Australia
- Italy
We observed several waves of Qadars propagation by intruders in these countries, and in Holland such a process was especially intensive, the activity of the intruders was tracked there by us for the entire monitoring period. The following features of this banking trojan should be noted.
The first detection of this malware was recorded in mid-May 2013. The following graph shows the number of Win32 / Qadars detections by day.
Although Qadars was observed back in May, the first real wave of infection spread occurred at the end of June. Apparently, the authors tested their malicious tool, since we found several intermediate versions of it. In the first wave of the spread of malicious code, the attackers focused on the users of Italy, and in subsequent waves on the Dutch users.
We can trace the evolution of this malicious tool through its version, which is listed in the executable file. The first version had the number 1.0.0.0, and the last 1.0.2.7. Constant releases of new versions point to the active development of this malicious code by hackers. The following graph shows the date of the first discovery of each version.
Win32 / Qadars uses the well-known Man-in-the-Browser (MitB) mechanism to perform financial fraud. Similar to Win32 / Spy.Zbot (Zeus), this malicious code is injected into the browser process and intercepts the necessary API calls. Using these hooks, he is able to inject malicious content into web pages that the user views. In fact, this content can be anything, but usually is a web form that is used by attackers to collect confidential online banking data. Alternatively, this malicious content could be javascript, which attempts to automatically transfer money without the knowledge or consent of the user.
Web injection configuration files are downloaded from the C & C server manager and contain the URLs of the banks' web pages, the content to be embedded in these pages, and the intended place of implementation on the page. This configuration file format is very similar to the files of other banking Trojans. After the file is downloaded from the management server, it is stored in encrypted form (AES) in one of the registry keys. Currently, Qadars is capable of intercepting in two browsers: Firefox and Internet Explorer. The malware’s code also contains a stub for Google Chrome, so that in the future we can see the corresponding hooks for this browser as well.
Once the malicious code is installed on the computer, the botnet operator can send him various commands, which are listed in the table below.
In version 1.0.2.7, an add-on appeared, which is the theft module of the user's FTP account credentials. It supports an extensive set of FTP clients and attempts to open their configuration files, as well as steal user account data. Interestingly, to steal user credentials, Qadars uses some well-known static passwords that FTP clients use by default to encrypt their configuration file. Another malicious code Win32 / PSW.Fareit ( Pony Loader ) has this feature.
To encrypt data during network communication, Win32 / Qadars uses AES in ECB mode . Before sending the message, the client generates a random string of nine characters, then it will use the MD5 of this string as the AES key. This key will also be used by the server to encrypt the response message. For the secure transmission of the AES key, which is used in encryption operations, the client also encrypts it and then appends it to the end of the message. After that, the entire generated message is encrypted using base64 and sent to the server. The figure below shows this process with the corresponding message fields that are sent to the server.
Fig. Network interaction between client and server.
The server's response is encrypted using the key that the client sent to him in the message. To ensure integrity, the client also adds MD5 messages. The figure below shows the structure of the server response.
Fig. The format of the server message.
Knowledge of the format of the network protocol used by Win32 / Qadars greatly facilitated our work in tracking the botnet and studying its behavior.
The Win32 / Qadars configuration file, which contains web injections, changes quite often and is aimed at certain financial institutions. To increase the impact of these web injections, malware authors try to infect users in specific regions or countries. It was not entirely clear what method the attackers chose to spread Qadars from May to October. Using some data from our telemetry system, we found out that they acquired special compromised hosts in the countries for which they were going to distribute this malware. Our specialists came to this conclusion because the compromised computers that they observed contained daunloaders and other Pay-per-install (PPI) malicious code, for example, the Win32 / Virut file virus.
Starting in November, attackers began distributing Win32 / Qadars using the Nuclear Exploit Kit. Below are a few URLs that were used for its distribution in early November, they clearly show the pattern that is specific to Nuclear EK.
Both of these methods of distributing malicious code allow botnet operators to select the region where potential victims are located.
As we mentioned, the attackers chose six countries to compromise their users with the Qadars malicious code, namely Holland, France, Canada, Australia, India and Italy. The graph below shows the geographical distribution of Qadars infections from May to November 2013.
Fig. The geography of distribution Qadars.
As can be seen, the largest number of infections is present in the Netherlands (75%), and in second place is France.
Fig. Detected Qadars infections by day and their distribution by country.
It is an interesting case of a compromise by attackers of Canadian users, which was recorded during the last 15 days of October. This is confirmed by the bot configuration files we found that contained web injections targeting Canadian banks.
Web injections in the case of banking institutions in other countries have varying degrees of complexity. Some of them collect additional information whenever a user tries to access a secure online banking site. To do this, the user is presented with an additional web form that requests the information necessary to the attackers when he logs in to his online banking account. An example of such a form is presented below.
Other web injections that are in the arsenal of malicious code can automatically perform banking operations and contain methods for circumventing two-factor authentication.
These web injections, which we have repeatedly mentioned, can be obtained by malicious code in various ways. Some of them are delivered as part of the malicious code itself, or can be purchased by hackers. On underground forums, there are various offers for distributing similar web-injections to customers. The price in this case varies from the wishes of the customer and the necessary opportunities. When analyzing Win32 / Qadars, we saw that these web injections were developed by different people, since their writing styles differed in different cases. Obviously, many of them were acquired in underground forums, since this form of distribution of malicious content is preferred by cybercriminals. One of the injects uses a characteristic template for extracting external content: scripts and images. The URL pattern in this case will look like this:
The data of the part of the URL that is the value of the “data” parameter is encoded using base64. When decrypted in this case, we get the parameter “project = mob-ingnl-fand & action = file & id = css”, which gives more information about the attackers' targets. Interestingly, we saw a similar injection address pattern in a campaign against Czech banks, using Win32 / Yebot (aka Tilon).
In the case of Qadars, attackers resort to the services of the so-called ATS (Automatic Transfer System) system. This term refers to web injections that use the automatic execution of the transaction required by these attackers on the victim’s bank account when the latter gains access to it. The code of such an inject may be more complicated and it will perform additional functions, for example, it will select a bank account with the most funds to withdraw a certain amount from there. Under the withdrawal of funds means its transfer to the bank account of a mule (individual. Person to whose account funds are transferred during a fraudulent operation) or an intruder. The injection code may also contain additional mechanisms to bypass the two-factor authentication system, which banks use to protect the transactions of their users.
We found several cybercriminals who sell ATS systems targeting some banks around the world. For such underground forums, there are notions of “public” web injections, which are sold to everyone and “private”, which are additionally customized for the customer, and each customer receives his own copy of the code. Thus, in a private distribution scheme, the buyer receives the source code of the injection with the right to distribute it. During the analysis, it was found that the authors of Qadars bought web injections, we observed a public ATS, which was registered in the configuration file. An attacker who spreads this public injection, in addition to it, attaches an administrative panel that allows Qadars operators to control the settings for the automatic transfer.
The highlighted line characterizes the direction of the injection to the French bank and the attacker claims that he can bypass two-factor authentication based on SMS messages.
Mobile component
Some ATS systems that we were able to analyze were designed so that the malicious code could intercept the SMS message with the operation confirmation code before it was sent by the online banking system. This message contains the mTAN code confirming the ongoing banking operation. The user then enters this code in the web-browser form of the online banking site. As we know, the use of a mobile component by malware is not new. Hesperbot and Zeus-in-the-mobile (ZitMo) can be cited as such examples. It is interesting that the attackers who are involved in the dissemination of web injections, began to use for them the possibility of malicious code for mobile devices. Thus, attackers who use malicious code to install it on a user's computer can acquire similar opportunities in the market as a service, along with an administrative panel and mobile malware for specific banks.
In the case of Win32 / Qadars, the mobile component is the malicious code Android / Perkele and comes bundled with web injections that are used to install it. Perkele is able to intercept SMS messages on the user's device and redirect them to attackers. This malicious mobile tool was described by Brian Krebs on krebsonsecurity . Using web injection, Perkele is installed on a user's mobile device as follows: when a user enters his online banking account, a special malicious code that is already embedded in the web page requests installation of a special mobile application for a specific phone model (choice of platform for installation). This mobile application allegedly belongs to the bank with which the user works.
Fig. Interface version of Android / Perkele, which is aimed at the French banks.
The malicious code Android / Perkele exists in modifications for various platforms, including, Android, Blackberry, Symbian. In the case of Win32 / Qadars, we observed only the Android version. After the malware is installed, the mTAN bank transaction confirmation codes will be redirected to the number of the attackers, and the user will not see them. It is worth noting that the latest version of Android called KitKat contains additional restrictions on hiding incoming SMS, so Perkele will not be able to do it in stealth mode.
Conclusion
Recently, we have seen an increase in the number of banking Trojans and the emergence of new families, among which, Win32 / Napolar , Win32 / Hesperbot , Win32 / Qadars. This is probably due to the leakage of texts of such well-known banking Trojans as Zeus and Carberp , which allowed attackers to better understand the operation of these malicious tools. Another interesting feature is the use of special tools for automating web injections, as is the case with ATS (injection as a service). This service allows attackers who distribute malware to perform more complex manipulations on the infected system, including bypassing two-factor authentication.
SHA1 hashes
Win32 / Qadars (Nuclear Pack): F31BF806920C97D9CA8418C9893052754DF2EB4D
Win32 / Qadars (1.0.2.3): DAC7065529E59AE6FC366E23C470435B0FA6EBBE
Android / Perkele: B2C70CA7112D3FD3E0A88D2D38647318D68f836F
Earlier we wrote about the banking trojan Hesperbot , which contains a special component for mobile platforms. This component allows you to bypass the two-factor authentication mechanism based on the confirmation codes of the mTAN banking operation. Qadars uses an approach similar to Hesperbot to install a mobile component via a web injection on a special message online banking page. The difference between the two is that Qadars uses the existing Android / Perkele mobile malware code, and does not rely on its own.
')
Usually for banking Trojans, the rule is either they are focused on a large number of financial institutions and banks, or attackers focus on certain banks by geography, that is, by their actual location. Win32 / Qadars belongs to the second category, attackers target it to users of a particular region or regions, and also use web-injection configuration files linked to the banks that are most in demand in this region. Below are the six main countries that have suffered from Qadars activities.
- Holland
- France
- Canada
- India
- Australia
- Italy
We observed several waves of Qadars propagation by intruders in these countries, and in Holland such a process was especially intensive, the activity of the intruders was tracked there by us for the entire monitoring period. The following features of this banking trojan should be noted.
- Six months after its discovery, it is still very active.
- Sent only to certain countries.
- It uses a wide range of web injections, some of which have been used by other family of banking Trojans in other malicious campaigns.
- Uses the Android / Perkele malicious code to bypass the two-factor authentication system based on mTAN codes (mobile devices).
The first detection of this malware was recorded in mid-May 2013. The following graph shows the number of Win32 / Qadars detections by day.
Although Qadars was observed back in May, the first real wave of infection spread occurred at the end of June. Apparently, the authors tested their malicious tool, since we found several intermediate versions of it. In the first wave of the spread of malicious code, the attackers focused on the users of Italy, and in subsequent waves on the Dutch users.
We can trace the evolution of this malicious tool through its version, which is listed in the executable file. The first version had the number 1.0.0.0, and the last 1.0.2.7. Constant releases of new versions point to the active development of this malicious code by hackers. The following graph shows the date of the first discovery of each version.
Win32 / Qadars uses the well-known Man-in-the-Browser (MitB) mechanism to perform financial fraud. Similar to Win32 / Spy.Zbot (Zeus), this malicious code is injected into the browser process and intercepts the necessary API calls. Using these hooks, he is able to inject malicious content into web pages that the user views. In fact, this content can be anything, but usually is a web form that is used by attackers to collect confidential online banking data. Alternatively, this malicious content could be javascript, which attempts to automatically transfer money without the knowledge or consent of the user.
Web injection configuration files are downloaded from the C & C server manager and contain the URLs of the banks' web pages, the content to be embedded in these pages, and the intended place of implementation on the page. This configuration file format is very similar to the files of other banking Trojans. After the file is downloaded from the management server, it is stored in encrypted form (AES) in one of the registry keys. Currently, Qadars is capable of intercepting in two browsers: Firefox and Internet Explorer. The malware’s code also contains a stub for Google Chrome, so that in the future we can see the corresponding hooks for this browser as well.
Once the malicious code is installed on the computer, the botnet operator can send him various commands, which are listed in the table below.
In version 1.0.2.7, an add-on appeared, which is the theft module of the user's FTP account credentials. It supports an extensive set of FTP clients and attempts to open their configuration files, as well as steal user account data. Interestingly, to steal user credentials, Qadars uses some well-known static passwords that FTP clients use by default to encrypt their configuration file. Another malicious code Win32 / PSW.Fareit ( Pony Loader ) has this feature.
To encrypt data during network communication, Win32 / Qadars uses AES in ECB mode . Before sending the message, the client generates a random string of nine characters, then it will use the MD5 of this string as the AES key. This key will also be used by the server to encrypt the response message. For the secure transmission of the AES key, which is used in encryption operations, the client also encrypts it and then appends it to the end of the message. After that, the entire generated message is encrypted using base64 and sent to the server. The figure below shows this process with the corresponding message fields that are sent to the server.
Fig. Network interaction between client and server.
The server's response is encrypted using the key that the client sent to him in the message. To ensure integrity, the client also adds MD5 messages. The figure below shows the structure of the server response.
Fig. The format of the server message.
Knowledge of the format of the network protocol used by Win32 / Qadars greatly facilitated our work in tracking the botnet and studying its behavior.
The Win32 / Qadars configuration file, which contains web injections, changes quite often and is aimed at certain financial institutions. To increase the impact of these web injections, malware authors try to infect users in specific regions or countries. It was not entirely clear what method the attackers chose to spread Qadars from May to October. Using some data from our telemetry system, we found out that they acquired special compromised hosts in the countries for which they were going to distribute this malware. Our specialists came to this conclusion because the compromised computers that they observed contained daunloaders and other Pay-per-install (PPI) malicious code, for example, the Win32 / Virut file virus.
Starting in November, attackers began distributing Win32 / Qadars using the Nuclear Exploit Kit. Below are a few URLs that were used for its distribution in early November, they clearly show the pattern that is specific to Nuclear EK.
Both of these methods of distributing malicious code allow botnet operators to select the region where potential victims are located.
As we mentioned, the attackers chose six countries to compromise their users with the Qadars malicious code, namely Holland, France, Canada, Australia, India and Italy. The graph below shows the geographical distribution of Qadars infections from May to November 2013.
Fig. The geography of distribution Qadars.
As can be seen, the largest number of infections is present in the Netherlands (75%), and in second place is France.
Fig. Detected Qadars infections by day and their distribution by country.
It is an interesting case of a compromise by attackers of Canadian users, which was recorded during the last 15 days of October. This is confirmed by the bot configuration files we found that contained web injections targeting Canadian banks.
Web injections in the case of banking institutions in other countries have varying degrees of complexity. Some of them collect additional information whenever a user tries to access a secure online banking site. To do this, the user is presented with an additional web form that requests the information necessary to the attackers when he logs in to his online banking account. An example of such a form is presented below.
Other web injections that are in the arsenal of malicious code can automatically perform banking operations and contain methods for circumventing two-factor authentication.
These web injections, which we have repeatedly mentioned, can be obtained by malicious code in various ways. Some of them are delivered as part of the malicious code itself, or can be purchased by hackers. On underground forums, there are various offers for distributing similar web-injections to customers. The price in this case varies from the wishes of the customer and the necessary opportunities. When analyzing Win32 / Qadars, we saw that these web injections were developed by different people, since their writing styles differed in different cases. Obviously, many of them were acquired in underground forums, since this form of distribution of malicious content is preferred by cybercriminals. One of the injects uses a characteristic template for extracting external content: scripts and images. The URL pattern in this case will look like this:
The data of the part of the URL that is the value of the “data” parameter is encoded using base64. When decrypted in this case, we get the parameter “project = mob-ingnl-fand & action = file & id = css”, which gives more information about the attackers' targets. Interestingly, we saw a similar injection address pattern in a campaign against Czech banks, using Win32 / Yebot (aka Tilon).
In the case of Qadars, attackers resort to the services of the so-called ATS (Automatic Transfer System) system. This term refers to web injections that use the automatic execution of the transaction required by these attackers on the victim’s bank account when the latter gains access to it. The code of such an inject may be more complicated and it will perform additional functions, for example, it will select a bank account with the most funds to withdraw a certain amount from there. Under the withdrawal of funds means its transfer to the bank account of a mule (individual. Person to whose account funds are transferred during a fraudulent operation) or an intruder. The injection code may also contain additional mechanisms to bypass the two-factor authentication system, which banks use to protect the transactions of their users.
We found several cybercriminals who sell ATS systems targeting some banks around the world. For such underground forums, there are notions of “public” web injections, which are sold to everyone and “private”, which are additionally customized for the customer, and each customer receives his own copy of the code. Thus, in a private distribution scheme, the buyer receives the source code of the injection with the right to distribute it. During the analysis, it was found that the authors of Qadars bought web injections, we observed a public ATS, which was registered in the configuration file. An attacker who spreads this public injection, in addition to it, attaches an administrative panel that allows Qadars operators to control the settings for the automatic transfer.
The highlighted line characterizes the direction of the injection to the French bank and the attacker claims that he can bypass two-factor authentication based on SMS messages.
Mobile component
Some ATS systems that we were able to analyze were designed so that the malicious code could intercept the SMS message with the operation confirmation code before it was sent by the online banking system. This message contains the mTAN code confirming the ongoing banking operation. The user then enters this code in the web-browser form of the online banking site. As we know, the use of a mobile component by malware is not new. Hesperbot and Zeus-in-the-mobile (ZitMo) can be cited as such examples. It is interesting that the attackers who are involved in the dissemination of web injections, began to use for them the possibility of malicious code for mobile devices. Thus, attackers who use malicious code to install it on a user's computer can acquire similar opportunities in the market as a service, along with an administrative panel and mobile malware for specific banks.
In the case of Win32 / Qadars, the mobile component is the malicious code Android / Perkele and comes bundled with web injections that are used to install it. Perkele is able to intercept SMS messages on the user's device and redirect them to attackers. This malicious mobile tool was described by Brian Krebs on krebsonsecurity . Using web injection, Perkele is installed on a user's mobile device as follows: when a user enters his online banking account, a special malicious code that is already embedded in the web page requests installation of a special mobile application for a specific phone model (choice of platform for installation). This mobile application allegedly belongs to the bank with which the user works.
Fig. Interface version of Android / Perkele, which is aimed at the French banks.
The malicious code Android / Perkele exists in modifications for various platforms, including, Android, Blackberry, Symbian. In the case of Win32 / Qadars, we observed only the Android version. After the malware is installed, the mTAN bank transaction confirmation codes will be redirected to the number of the attackers, and the user will not see them. It is worth noting that the latest version of Android called KitKat contains additional restrictions on hiding incoming SMS, so Perkele will not be able to do it in stealth mode.
Conclusion
Recently, we have seen an increase in the number of banking Trojans and the emergence of new families, among which, Win32 / Napolar , Win32 / Hesperbot , Win32 / Qadars. This is probably due to the leakage of texts of such well-known banking Trojans as Zeus and Carberp , which allowed attackers to better understand the operation of these malicious tools. Another interesting feature is the use of special tools for automating web injections, as is the case with ATS (injection as a service). This service allows attackers who distribute malware to perform more complex manipulations on the infected system, including bypassing two-factor authentication.
SHA1 hashes
Win32 / Qadars (Nuclear Pack): F31BF806920C97D9CA8418C9893052754DF2EB4D
Win32 / Qadars (1.0.2.3): DAC7065529E59AE6FC366E23C470435B0FA6EBBE
Android / Perkele: B2C70CA7112D3FD3E0A88D2D38647318D68f836F
Source: https://habr.com/ru/post/207216/
All Articles