The Qadars trojan has had some of its code revamped in an effort to avoid detection and to refocus its payloads on UK banks.
The malware has been configured in recent years to attack banks in France, The Netherlands, Australia, Canada and the US. However, it now appears to have been updated with a focus on UK financial institutions.
A post on the IBM X-Force blog showed that the trojan has the following capabilities:
- Hooking the internet browser to monitor and manipulate user activity
- Fetching web injections in real time from a remote server
- Supplementing fraud scenarios with an SMS hijacking app
- Orchestrating the full scope of fraudulent data theft and transaction operation through an automated transfer system panel.
The updated code also gives Qadars more ways to defeat traditional cyber defences.
"Qadars' new version obfuscates all of its Win32 API calls by employing a common trick often used by banking malware of this grade, such as URLZone, Dridex and Neverquest," said IBM X-Force.
"When the malware code starts to run, and after the packer has completed its part, it dynamically resolves all the memory address of the APIs it's going to use.
"Qadars contains hardcoded CRC32 values for all the function names it plans to use. This enables it to resolve the actual memory address of the function it will iterate over the export table of a particular system DLL and compare the CRC32 of the exported function name against the hardcoded one.
"If a match is found, Qadars saves the memory address of the function in a global variable.
"The malware adds a twist to this well-known dynamic API resolving method by XORing the hardcoded CRC32 values of the function names with another constant value that's embedded in the binary itself.
"By employing this method, Qadars makes it a bit harder for scripts to find and annotate the actual Win32 APIs it uses."
Mark James, security specialist at ESET, explained that it was just a matter of time before the trojan was used against UK banks.
"As the UK has a very strong economic state with some very good established financial headquarters it would stand to reason that malware designed to hit banking organisations will try to infect as many here as possible," he said.
"The trouble with the internet is it has no real boundaries, so countries from a malware point of view just blend into one big attack vector.
"Malware evolves and develops in many ways, some because the first attack method was stumped or unsuccessful, some because better or newer techniques develop into a more successful means to infect.
"But we often see older strains or variants resurface causing new havoc. Malware that targets a specific vector or industry is often harder to detect as its global footprint is somewhat smaller."
James also provided a few tips for companies to better shore up their defences.
"As always, good security needs to be multi-layered. Regularly updating internet security software, along with traffic and data monitoring and well laid out policies, will form a good base to build up your security," he said.
"As malware does very often resurface, making sure your security products retain their ability to detect older malware is a must. Also ensure that user or staff education is kept current and up to date.
"So many attack methods use the human element, and educating and encouraging staff to form an integral part of the business's security is ultra-important.
"The instant reward from the financial segment will continue to make this industry a desirable target, and the UK will continue to be near the top of that list."
AlphaBay users had flocked to Hansa after it was closed down - not realising it had already been taken over by Dutch police
Microsoft closes in on $100bn annual revenues with sales weighing-in at $23.3bn
Moves to take down cyber-squatted domains reveals Fancy Bear hacking network, claims Microsoft
Intel claims 'world first' in artificial intelligence that can be plugged-in almost anywhere