Banking Trojan Qadars returned and attacks banks in the UK

About Qadars banking trojan became known a few years ago. Almost from the very moment of his appearance, he knew how to bypass the two-factor authentication mechanism. Troyan did this with the help of malicious mobile content.

Information security specialists claim that this software uses various types of web injections to penetrate users' computers. The goal of this trojan is to steal the authentication data from the victim to conduct online banking transactions in the interests of its creator.

In order to bypass the protection system of most banking organizations, this trojan tries to convince the victim to install a mobile application. It helps to bypass the need to confirm banking transactions. This application is a malicious Android / Perkele code. The victim gets it simultaneously with the web injection used to install the code. Mobile malware can intercept SMS messages from the user's device (for example, authorization SMS sent by the bank). As soon as the victim enters his online banking account, the code embedded in the web page requests the installation of a mobile application for a specific phone model. The user is informed that this is a mobile application of his bank.
')
The attack pattern that the malware uses is well known. This is Man-in-the-Browser, MiB. At the first stage, malware injects its code into any of the popular browsers (Internet Explorer, Firefox and others), exploiting a specific vulnerability. After implementation, the creator of the Trojan gets the opportunity to conduct transactions on behalf of the user in the interests of its creator. This is done using JavaScript, which transfers funds from the victim’s account to the attacker's account without the knowledge of the account holder.

Despite the fact that information security specialists discovered a Trojan several years ago, it has not yet been possible to cope with it. Moreover, the creators of the Trojan improved its structure and updated some functions. Now the main goal of the Trojan is the UK banking structures.

In different periods of past years, Qadars attacked the banks of the Netherlands, Australia, Canada and the United States. Now its creators decided to stay in the UK. Our specialists have studied this malicious software, which has already affected the work of 18 British banks.

Among the other tools of this software is the following:

• Interception of various functions of the browser (IE, Firefox);
• Fake certificates and cookies;
• Work with forms;
• Web injections;
• FIGrabbers;
• Using the Tor client on the client side to hide their communication channels;
• Using the DGA algorithm to disguise the remote resources of attackers.


Trojan disguised as update windows of known OS. As soon as the user clicks "update", the trojan launches the ShellExecuteEx Win32 API

Now, according to our specialists , the third generation of the Trojan, Qadars v3, is already working on the Web. Over time, its creators have added even more functions to the Trojan, allowing it to avoid detection. Improved and web injection.

Trojan obfustsiruet all its Win32 API calls. In this regard, it works in a similar way with such malware as URL Zone, Dridex and Neverquest. The application contains encrypted CRC32 values, which allows you to hide the names of the functions working in the Trojan. Due to its capabilities, this trojan is one of the most dangerous banking Trojans of recent times.

The success of Qadars depends on working with their servers through special communication channels. The Trojan also provides the ability to remotely control infected machines, which can increase the chances of attackers for success.