pixel_dreams - Fotolia

Qadars Trojan gears up to target UK banks

Advanced Trojan that has been targeting different regions is now preparing to hit UK banks, according to IBM X-Force Research

The Qadars Trojan has been updated to improve its defences and is being tailored to target 18 UK banks, according to IBM X-Force Research.

Infection campaigns launched early this month targeted mainly banks in the Netherlands, the US and Germany, but recently researchers have found evidence that UK banks have been added to the list.

The cyber criminals operating Qadars added the UK to its target list soon after the Ramnit Trojan got back to targeting the UK.

According to the researchers, the UK is back in cyber criminals’ focus, with renewed activity after a period when malware, including GozNym and Zeus, was targeting Germany, Brazil and the US instead.

From a global perspective, Qadars’ operators have been making the rounds, targeting banks in different regions in separate bouts of online banking fraud attacks since 2013.

Early campaigns were aimed at banks in France and the Netherlands in 2013 and 2014, but in 2015 to 2016 the top targets were banks in Australia, Canada, the US and the Netherlands.

The top targets are currently banks in the Netherlands, the US, Germany, Poland and the UK.

X-Force Research shows that although most of Qadars’ targets have been banks, a view of the malware’s configurations from recent months proves it is also targeting social networking credentials, online sports betting users, e-commerce platforms, payments and card services.

The researchers believe Qadars is supported by experienced cyber crime factions because the malware has used advanced banking malware tactics from the start.

The Trojan has demonstrated the ability to use internet browsers to monitor and manipulate user activity, fetch web injection code in real time from a remote server, and carry out data theft and transaction operation through an automated transfer system (ATS) panel.

Read more about banking Trojans

The researchers said ATS was fraudster lingo for a remote, web-based platform that Trojans access on the fly. The ATS panel contains transaction automation scripts, web injections, pre-programmed transaction flow and parameters, transfer thresholds and mule account numbers on which the malware relies to complete illicit online transactions.

To steal two-factor authentication (2FA) codes, Qadars’ operators deployed the Perkele (iBanking) mobile bot as the malicious mobile component. In this case, Qadars even added the theft of codes from mobile devices to the ATS transaction orchestration flow.

Qadars historically infects endpoints using exploit kits hosted on compromised hosts, or domains bought for the purpose of serving malware. The Trojan was also pushed to user endpoints via botnets, using downloader-type malware.

In current campaigns, Qadars is using the Rig Exploit Kit via the EiTest campaign to infect users, facilitating its infiltration with downloader malware, the researchers said.

The latest version of Qadars is an advanced online banking Trojan that comes from a single source, the researchers added.

Qadars’ fraud tactics are enabled through techniques such as cookie and certificate fraud, form grabbing, code injection and ATS.

Qadars is capable of in-session fraud, remote-controlling the infected endpoint via virtual network computing (VNC) and performing a fraudulent transaction in real time when the user is logged on.

Account takeover fraud

It can also collect victim credentials and use them in account takeover fraud later from a different device, depending on the targeted bank and the corresponding authentication challenges.

“Qadars’ attack volumes, compared to Trojans such as Neverquest or Dridex, are more humble,” said Limor Kessem, executive security adviser at IBM Security. “Although it is not one of the top 10 financial malware threats on the global list, this Trojan has been flying under the radar for over three years, attacking banks in different regions using advanced features and capabilities.

“It is possible that Qadars’ attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees, and are likely to keep their operation focused and less visible,” she wrote in a blog post.

According to Kessem, Qadars’ operators are well versed in orchestrating the malware infection operation by using exploit kits, launching fraudulent transactions from infected endpoints and circumventing 2FA by infecting victims’ mobile devices.

“Beyond the pre-programmed parts of its configuration files, Qadars relies on communication with remote servers and ATS panels to fetch money mule account numbers in real time,” she said. “It also displays social engineering injections delivered from its servers in real time and can enable hidden remote control of infected machines to defraud their owners’ accounts.”

Read more on Hackers and cybercrime prevention