Banking Trojan Qadars returns and attacks banks in the UK

The banking Trojan Qadars became known several years ago. Almost from the very moment of his appearance, he was able to bypass the mechanism of two-factor authentication. The Trojan did this with malicious mobile content.

Information security experts claim that this software uses various types of web injections to infect users' computers. The purpose of this trojan is one - theft of the authentication data from the victim for conducting transactions in online banking in the interests of its creator.

In order to circumvent the protection system of most banking organizations, this trojan tries to convince the victim to install a mobile application. It helps bypass the need to confirm banking transactions. This application is a malicious Android / Perkele code. The victim receives it at the same time as the web injection used to install the code. A mobile malware can intercept SMS messages from a user's device (for example, authorization SMS sent by a bank). As soon as the victim logs into his online banking account, the code embedded in the web page requests the installation of a mobile application for a specific phone model. The user is informed that this is a mobile application of his bank.

The attack scheme used by the malware is well known. This is Man-in-the-Browser, MiB. At the first stage, malware injects its code into any of the popular browsers (Internet Explorer, Firefox and others), exploiting a specific vulnerability. After implementation, the creator of the trojan gets the opportunity to conduct transactions on behalf of the user in the interests of its creator. For this, JavaScript is used, which transfers funds from the victim’s account to the attacker's account without the knowledge of the account holder.

Despite the fact that information security experts discovered the trojan several years ago, it has not been possible to deal with it yet. Moreover, the creators of the trojan improved its structure and updated some functions. Now the main goal of the Trojan is the banking structures of the UK.

In different periods of past years, Qadars attacked the banks of the Netherlands, Australia, Canada and the United States. Now its creators decided to stay in the UK. Our company’s specialists have studied this malicious software, which has already affected the work of 18 British banks.

Among the other tools of this software it is worth highlighting the following:

• Interception of various browser functions (IE, Firefox);
• Fake certificates and cookies;
• Work with forms;
• Web injections;
• FIGrabbers;
• Using the Tor client on the client side to hide its communication channels;
• Using the DGA algorithm to mask remote intruder resources.


The Trojan disguises itself as windows for updating known OSs. As soon as the user clicks “upgrade”, the trojan launches the ShellExecuteEx Win32 API.

Now, according to our experts , the third generation of the trojan, Qadars v3, is already working on the Web. Over time, its creators added more features to the Trojan, allowing it to avoid detection. Improved web injection.

The trojan will obfuscate all of its Win32 API calls. In this regard, it works in a similar way with malware such as URL Zone, Dridex, and Neverquest. The application contains encrypted CRC32 values, which allows you to hide the names of functions that work in the trojan. Due to its capabilities, this Trojan is one of the most dangerous banking Trojans of recent times.

The success of Qadars depends on working with its servers through special communication channels. Also, the trojan provides the ability to remotely control infected machines, which can increase the chances of attackers to succeed.