THE QADARS TROJAN malware has been tweaked and polished, and is now better than ever at evading detection.
It's also now targeting UK banks, so it may be time to withdraw all your readies and stuff them under the mattress.
This comes barely a month after the Linux.Lady trojan was found to be turning Linux servers into bitcoin miners. (And if you mis-type that and write 'bitcoin minters' as we did initially, that works too).
The malware has been configured in recent years to attack banks in France, The Netherlands, Australia, Canada and the US. However, it now appears to have been updated with a focus on UK financial institutions, with IBM noting that its configuration has been tailored to target 18 British banks.
A post on the IBM X-Force blog showed that the trojan has the following capabilities:
- Hooking the internet browser to monitor and manipulate user activity
- Fetching web injections in real time from a remote server
- Supplementing fraud scenarios with an SMS hijacking app
- Orchestrating the full scope of fraudulent data theft and transaction operation through an automated transfer system panel.
The updated code also gives Qadars more ways to defeat traditional cyber defences.
"Qadars' new version obfuscates all of its Win32 API calls by employing a common trick often used by banking malware of this grade, such as URLZone, Dridex and Neverquest," said IBM X-Force.
"When the malware code starts to run, and after the packer has completed its part, it dynamically resolves all the memory address of the APIs it's going to use.
"Qadars contains hardcoded CRC32 values for all the function names it plans to use. This enables it to resolve the actual memory address of the function it will iterate over the export table of a particular system DLL and compare the CRC32 of the exported function name against the hardcoded one.
"If a match is found, Qadars saves the memory address of the function in a global variable.
"The malware adds a twist to this well-known dynamic API resolving method by XORing the hardcoded CRC32 values of the function names with another constant value that's embedded in the binary itself.
"By employing this method, Qadars makes it a bit harder for scripts to find and annotate the actual Win32 APIs it uses."
The INQUIRER is currently debating the subject of ransomware, and whether it's today's biggest security threat. Cast your vote now. µ
Welcome to the dystopia Black Mirror warned us about
Microsoft in 'more helpful' shock
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers