ESET Canada malware research lab has recently analyzed a very active banking Trojan dubbed Qadars which is targeting users especially in the Netherlands (75% of detected infections; among other targets are France, Italy, Canada, India and Australia). Qadars uses a wide variety of webinjects, some with Android mobile components that are capable of bypassing two-factor authentication systems of online banking to gain access to user’s bank account. The trojan pinpoints users in specific regions and uses webinject configuration files tailored to the banks most commonly used by the victims which makes it much more effective. The malware has been observed by ESET for the last six months and we can confirm that it is being continuously updated.
Detected as Win32/Qadars, the malware uses a Man-in-the-Browser scheme to perform financial fraud. The virus injects itself into browser (Firefox or Internet Explorer) processes and then is capable of inserting content into pages viewed by the user. Some of the webinjects are very sophisticated and can perform transactions automatically and bypass the two-factor authentication systems implemented by banks.
“This content can be anything, but is usually a form intended to harvest user credentials or JavaScript designed to attempt automatic money transfers without the user’s knowledge or consent,” says Jean-Ian Boutin, researcher at ESET lab in Montreal, Canada.
“Qadars webinject configuration file changes frequently and targets specific institutions. To maximize their success with these webinjects, the malware authors try to infect users in specific regions of the world,” adds Jean-Ian Boutin.
More detailed analysis of this malware is available in the blogpost Qadars – A Banking Trojan with Netherlands in its sight that can be found at WeLiveSecurity.com - ESET’s news platform with the latest information and analysis on cyber threats and useful security tips.