Qadars Trojan targets 18 UK banks
IBM X-Force Research finds malware is also after social networking credentials, online sports betting users, e-commerce platforms, payments and card services
The Qadars Trojan malware has been updated and is now targeting 18 UK-based banks, according to security researchers at IBM X-Force.
In recent years the malware has been configured to attack banks in France and the Netherlands, with Australia, Canada and the US also attacked last year. However now it appears to have been updated, with UK financial institutions its new focus.
According to a post on the IBM X-Force blog, the Trojan has various capabilities:
- Hooking the internet browser to monitor and manipulate user activity;
- Fetching web injections in real time from a remote server;
- Supplementing fraud scenarios with an SMS hijacking app; and
- Orchestrating the full scope of fraudulent data theft and transaction operation through an automated transfer system (ATS) panel.
The updated code used in Qadars also gives it more ways to defeat traditional cyber defences.
"Qadars' new version obfuscates all of its Win32 API calls by employing a common trick often used by banking malware of this grade, such as URLZone, Dridex and Neverquest. When the malware code starts to run and after the packer has completed its part, it dynamically resolves all the memory address of the APIs it's going to use," wrote IBM X-force in the blog.
It continued: "Qadars contains hardcoded CRC32 values for all the function names it plans to use. This enables it to resolve the actual memory address of the function it will iterate over the export table of a particular system DLL and compare the CRC32 of the exported function name against the hardcoded one. If a match is found, Qadars saves the memory address of the function in a global variable.
"The malware adds a twist to this well-known dynamic API resolving method by XORing the hardcoded CRC32 values of the function names with another constant value that's embedded in the binary itself. By employing this method, Qadars makes it a bit harder for scripts to find and annotate the actual Win32 APIs it uses," it said.
Mark James, security specialist at ESET, explained that it was just a matter of time before the Trojan was targeted at UK banks.
"As the UK has a very strong economic state with some very good established financial headquarters it would stand to reason that malware designed to hit banking organisations will try and infect as many here as possible. The trouble with the internet is it has no real boundaries, so countries from a malware point of view just blend into one big attack vector.
"Malware evolves and develops in many ways; some because the first attack method was stumped or unsuccessful, some because better or newer techniques develop into a more successful means to infect. But we often see older strains or variants resurface causing new havoc. Malware that targets a specific vector or industry is often harder to detect as its global footprint is somewhat smaller," he said.
James also provided a few tips firms can employ to better shore up their defences.
"As always, good security needs to be multi-layered, regularly updating internet security software along with traffic and data monitoring and well-laid-out policies will form a good base to build up your security. As malware does very often re-surface, making sure your security products retain their ability to detect older malware is a must. Also ensure user or staff education is kept current and up to date. So many attack methods utilise the human element that educating and encouraging staff to form an integral part of the business security is ultra-important.
"The instant reward from the financial segment will continue to make this industry a desirable target and the UK will continue to be near the top of that list," he said.
Computing's sister title the Inquirer currently has a debate ongoing around ransomware.