Qadars Trojan targets 18 UK banks

Online banking details

Cybercriminals are targeting British banks with the Qadars Trojan, according to security researchers.

Researchers from IBM's X-Force Research said that hackers have been updating the malware's defences and tailoring its configurations to target 18 banks in the UK. The researchers found that Qadars campaigns launched in early September 2016 and mainly targeted banks in the Netherlands, US and Germany.

They said that the gang behind the malware have been engaged in bouts of online banking fraud attacks since 2013, with a focus on Europe.

As well as banks, the gang has also been after social networking credentials, online sports betting users, e-commerce platforms, payments and card services, among others.

The Qadars Trojan can insert itself into a browser to monitor and manipulate user activity, as well as fetch web injections in real time from a remote server. They can also supplement fraud scenarios with an SMS hijacking app and orchestrate the full scope of fraudulent data theft and transaction operation through an automated transfer system (ATS) panel, which is a remote, web-based platform that Trojans access on the fly.

The ATS panel contains transaction automation scripts, web injections, pre-programmed transaction flow and parameters, transfer thresholds and mule account numbers on which the malware relies to complete illicit online transactions.

To steal two-factor authentication (2FA) codes from a user whose bank requires an out-of-band element, Qadars' operators deployed the Perkele (iBanking) mobile bot as the malicious mobile component. In this case, Qadars even added the theft of codes from mobile devices to the ATS transaction orchestration flow.

The latest version of the malware surfaced in the first quarter of this year.

"Qadars v3 is continuously evolving. Yet another updated release in late August 2016 offered a new Qadars build with some code updates designed to evade detection, layer anti-research features, and improve the performance and readability of the malware's webinjection mechanisms," said Limor Kessem, executive security advisor at IBM.

She said that while the malware is not one of the top ten financial malware threats on the global list, however, this Trojan has been flying under the radar for over three years, attacking banks in different regions using advanced features and capabilities.

"It's possible that Qadars attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees, likely to keep their operation focused and less visible," she said.

Mark James, security specialist at ESET, told IT Pro that as the UK has established financial headquarters it would stand to reason that malware designed to hit banking organisations will try and infect as many here as possible.

"The trouble with the internet is it has no real boundaries, so countries from a malware point of view just blend into one big attack vector," he said.

"The instant reward from the financial segment will continue to make this industry a desirable target and the UK will continue to be near the top of that list," he added.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.