Qadars Trojan targets 18 UK banks

British financial institutions in firing line of cybercriminals

Online banking details

Cybercriminals are targeting British banks with the Qadars Trojan, according to security researchers.

Researchers from IBM's X-Force Research said that hackers have been updating the malware's defences and tailoring its configurations to target 18 banks in the UK. The researchers found that Qadars campaigns launched in early September 2016 and mainly targeted banks in the Netherlands, US and Germany.

They said that the gang behind the malware have been engaged in bouts of online banking fraud attacks since 2013, with a focus on Europe.

As well as banks, the gang has also been after social networking credentials, online sports betting users, e-commerce platforms, payments and card services, among others.

Advertisement - Article continues below
Advertisement - Article continues below

The Qadars Trojan can insert itself into a browser to monitor and manipulate user activity, as well as fetch web injections in real time from a remote server. They can also supplement fraud scenarios with an SMS hijacking app and orchestrate the full scope of fraudulent data theft and transaction operation through an automated transfer system (ATS) panel, which is a remote, web-based platform that Trojans access on the fly.

The ATS panel contains transaction automation scripts, web injections, pre-programmed transaction flow and parameters, transfer thresholds and mule account numbers on which the malware relies to complete illicit online transactions.

To steal two-factor authentication (2FA) codes from a user whose bank requires an out-of-band element, Qadars' operators deployed the Perkele (iBanking) mobile bot as the malicious mobile component. In this case, Qadars even added the theft of codes from mobile devices to the ATS transaction orchestration flow.

The latest version of the malware surfaced in the first quarter of this year.

"Qadars v3 is continuously evolving. Yet another updated release in late August 2016 offered a new Qadars build with some code updates designed to evade detection, layer anti-research features, and improve the performance and readability of the malware's webinjection mechanisms," said Limor Kessem, executive security advisor at IBM.

She said that while the malware is not one of the top ten financial malware threats on the global list, however, this Trojan has been flying under the radar for over three years, attacking banks in different regions using advanced features and capabilities.

Advertisement - Article continues below

"It's possible that Qadars attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees, likely to keep their operation focused and less visible," she said.

Mark James, security specialist at ESET, told IT Pro that as the UK has established financial headquarters it would stand to reason that malware designed to hit banking organisations will try and infect as many here as possible.

"The trouble with the internet is it has no real boundaries, so countries from a malware point of view just blend into one big attack vector," he said.

"The instant reward from the financial segment will continue to make this industry a desirable target and the UK will continue to be near the top of that list," he added. 

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020