A sophisticated stealth banking malware dubbed Qadars Trojan has begun targeting banks in the UK. Security researchers have uncovered that the most recent version of Qadars has been specifically designed to target 18 unspecified banks in the UK as well as financial institutions in the US, Netherlands and Germany.

Security researchers believe that Qadars, which has been active since 2013, is likely the brainchild of a "Russian-speaking black hat" and is considered to be an "advanced online banking Trojan" likely originating from a "single source".

"Qadars historically infects endpoints using exploit kits hosted on compromised hosts, or domains purchased for the purpose of serving malware," said IBM X Force researchers. "The Trojan was also pushed to user endpoints via botnets, leveraging downloader-type malware. From a global perspective, Qadars' operators have been making the rounds, targeting banks all over the world in separate bouts of online banking fraud attacks since 2013. By count of targeted brands, it appears the gang remains most inclined to attack in Europe."

Qadars Trojan's past activities

According to researchers, the banking Trojan primarily targeted banks in France and Netherlands between 2013 and 2014. However, the following year, the malware shifted targets to go after financial institutions in Australia, Canada and the US. In 2016, the Trojan is again back to targeting banks in Europe, specifically in Germany, Poland and Netherlands as well as some in the US.

However, Qadars operators have not limited the malware into targeting only financial institutions. The malware has been updated over the years to also go after social networking credentials, online sports betting users, e-commerce platforms, payments and card services and more.

Researchers also uncovered that the malware's developers made modifications based on borrowed codes of other proliferate Trojans. "Under the hood, Qadars' developers borrowed code and fraud-facilitating concepts from the Zeus and Carberp Trojans, both of which had their source code leaked publicly in the past few years, thereby enabling malware authors to reuse parts of the code," IBM X Force researchers said.

The malware also uses social engineering in efforts to gain complete access to victims' systems and steal data, including that safeguarded by two-factor authentication systems commonly used by most banks. Additionally, the Trojan is also capable of comprehensively monitoring injected devices and hijacking text messages on victims' phones.

Qadars v3 in the wild

According to researchers, the latest version of the malware was released in Q1 2016 and was found to be targeting all major banks in Australia. "Qadars v3 is continuously evolving. Yet another updated release in late August 2016 offered a new Qadars build with some code updates designed to evade detection, layer anti-research features, and improve the performance and readability of the malware's webinjection mechanisms," researchers said.

The malware is also capable of obtaining victims' banking credentials and using them to conduct "account takeover fraud" from a different device. Qadars developers also updated the malware to include certain privilege escalation tricks, one of which involves prompting users with a social engineering message in efforts to lure them into downloading a new Windows security update.

"That fake message is used to influence the user into unknowingly accepting a UAC prompt and inadvertently granting Qadars admin rights. The malware doesn't give the user an option to cancel or close the fake update window," the researchers added.

Qadars in stealth mode

Compared to other proliferate banking Trojans such as Dridex or GozNym, Qadars' activities have been fairly limited and modest. However, researchers believe this to be a deliberate ploy of the malware's developers, in efforts to evade detection.

Researchers said, "While it is not one of the top 10 financial malware threats on the global list, however, this Trojan has been flying under the radar for over three years, attacking banks in different regions using advanced features and capabilities. It's possible that Qadars attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees, likely to keep their operation focused and less visible."