Qadars Trojan targets 18 UK banks

British financial institutions in firing line of cybercriminals

Online banking details

Cybercriminals are targeting British banks with the Qadars Trojan, according to security researchers.

Researchers from IBM's X-Force Research said that hackers have been updating the malware's defences and tailoring its configurations to target 18 banks in the UK. The researchers found that Qadars campaigns launched in early September 2016 and mainly targeted banks in the Netherlands, US and Germany.

Advertisement - Article continues below

They said that the gang behind the malware have been engaged in bouts of online banking fraud attacks since 2013, with a focus on Europe.

As well as banks, the gang has also been after social networking credentials, online sports betting users, e-commerce platforms, payments and card services, among others.

The Qadars Trojan can insert itself into a browser to monitor and manipulate user activity, as well as fetch web injections in real time from a remote server. They can also supplement fraud scenarios with an SMS hijacking app and orchestrate the full scope of fraudulent data theft and transaction operation through an automated transfer system (ATS) panel, which is a remote, web-based platform that Trojans access on the fly.

The ATS panel contains transaction automation scripts, web injections, pre-programmed transaction flow and parameters, transfer thresholds and mule account numbers on which the malware relies to complete illicit online transactions.

Advertisement - Article continues below
Advertisement - Article continues below

To steal two-factor authentication (2FA) codes from a user whose bank requires an out-of-band element, Qadars' operators deployed the Perkele (iBanking) mobile bot as the malicious mobile component. In this case, Qadars even added the theft of codes from mobile devices to the ATS transaction orchestration flow.

The latest version of the malware surfaced in the first quarter of this year.

"Qadars v3 is continuously evolving. Yet another updated release in late August 2016 offered a new Qadars build with some code updates designed to evade detection, layer anti-research features, and improve the performance and readability of the malware's webinjection mechanisms," said Limor Kessem, executive security advisor at IBM.

She said that while the malware is not one of the top ten financial malware threats on the global list, however, this Trojan has been flying under the radar for over three years, attacking banks in different regions using advanced features and capabilities.

Advertisement - Article continues below

"It's possible that Qadars attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees, likely to keep their operation focused and less visible," she said.

Mark James, security specialist at ESET, told IT Pro that as the UK has established financial headquarters it would stand to reason that malware designed to hit banking organisations will try and infect as many here as possible.

"The trouble with the internet is it has no real boundaries, so countries from a malware point of view just blend into one big attack vector," he said.

"The instant reward from the financial segment will continue to make this industry a desirable target and the UK will continue to be near the top of that list," he added. 

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The best server solution for your SMB

26 Jun 2020