There is a new version of the Trojan that tricks users into unknowingly providing system admin access for attackers to steals credentials.
This sophisticated stealth banking malware dubbed Qadars Trojan has begun targeting banks in the UK.
They have uncovered that the latest version of Qadars was designed to target 18 UK banks as well as financial institutions in the US, Germany and Netherlands.
Qadars has been active since 2013 according to security researchers. They say that it is most likely created by a “Russian-speaking black hat”. It has been considered to be an advanced online banking trojan which most likely originated from a single source.
“Qadars historically infects endpoints using exploit kits hosted on compromised hosts, or domains purchased for the purpose of serving malware,” said IBM X Force researchers. “The Trojan was also pushed to user endpoints via botnets, leveraging downloader-type malware. From a global perspective, Qadars’ operators have been making the rounds, targeting banks all over the world in separate bouts of online banking fraud attacks since 2013. By count of targeted brands, it appears the gang remains most inclined to attack in Europe.”
Qadars Trojan’s past activities
Researchers have concluded that Qadars it originally targeted banks in France and Netherlands from 2013 to 2014. But it has shifted targets a year later targeting Australia, Canada and US. This year, it is back to focus on European countries such as Germany, Poland, and Netherlands yet still has some foothold in the US.
The malware developers have not limited the malware’s function into targeting financial institutions but it is also into social networking credentials, online betting, e-commerce, payment and card services and the list goes on.
Upon further research, they have determined that the malware had been modified based on borrowed codes from proliferate Trojans. “Under the hood, Qadars’ developers borrowed code and fraud-facilitating concepts from the Zeus and Carberp Trojans, both of which had their source code leaked publicly in the past few years, thereby enabling malware authors to reuse parts of the code,” IBM X Force researchers said.
Besides the usual targets, they have focused some of their efforts to gain access victims’ systems and steal data using social engineering. They have found a way to even trick the system including that safeguarded by two-factor authentication systems commonly used by most banks.
The sophisticated code they have made is also capable of comprehensively monitoring injected devices and hijacking text messages on victims’ phones.
The Qadars malware is continuously evolving. Besides the fact it now targets Australia, the newer code is designed to evade detection.
It is not surprising that the malware is also capable of obtaining victims’ banking credentials. Eventually hijacking it and eventually reaching the point of an “account takeover fraud” from a different device.
The Qadars malware developers also updated the malware to include certain privilege escalation tricks, one of which involves prompting users with a social engineering message in efforts to lure them into downloading a new Windows security update.
In layman terms, they send you a fake message to trick you into accepting a UAC prompt which the user unknowingly grants Qadars administrative privileges and on top of that, there is no option to cancel or close the fake update window.
There are other threats similar to this namely Dridex or GozNym, however Qadars’ activities have been fairly limited and modest but precise.
Given the facts, researchers believe that it is a tactic they have been using to avoid detection.
Although it is not part of the top 10 financial malware threats asof the moment, it has been flying under the radar for over 3 years. It has been targeting banks in multiple regions using sophisticated techniques, features and capabilities
Researchers think that the malware creators limit the attack volumes to keep their operations focused and under the radar.
Users beware and be careful and vigilant. Think before you click.