Latest Qadars Banking Trojan Puts New Spin on Old Worries
By BUFFERZONE Team, 13/10/2016
As if the banking sector needed a new reason to worry about cyber security, IBM’s X-Force Research team recently confirmed that the notorious Qadars Trojan has once again reared its malicious head as part of a campaign targeting financial institutions in the UK, Germany, Poland and the Netherlands.
Qadars, which has been active since at least 2013, uses social engineering to breach endpoints via exploit kits deployed on compromised machines or domains. It has also used downloader-type malware to ensnare victims and launch botnets. Once infected, hackers take over and steal everything they can find. In addition, they monitor all activity on a victims’ device, and even hijack texts on mobile phones, which enables them to get past two-factor authorization systems used by banks.
Apparently, the latest and, alas, worst version of Qadars (v3) appears to be the work of a professional, well-funded and organized group – likely based in Russia. Among the most troubling innovations in this variant is that Qadars is fooling users into thinking that it is time for a Windows security update. But when they click install, instead of enhancing their protection, users actually give Qadars full administrator rights to their machine.
There is also some speculation that Qadars’ attack pattern — targeting one small region at a time — is deliberate, and designed to help hackers fly under the radar and avoid the publicity of high profile banking malware such as Dridex. If this theory is correct, then the next country or region on Qadars’ hit list will be attacked fast and furious, as was the case in the UK when 18 banks were hit in a short period of time.
Regulations On the Way
At the same time, banks hoping for some respite, understanding or just plain mercy from the government may find that the winds have shifted mightily since circa 2008. For example, the Governor of New York State recently introduced the U.S.’s first regulation that would require banks and other financial services institutions to establish and maintain a cybersecurity program “designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry”. Other states are eyeing developments, and will invariably follow suit with similar regulation once it snakes its way through the legislature.
Avoiding the ‘Net & Air Gaps aren’t the Answer
To fight back against Qadars and other threats, many banks are preventing employees from using the internet, or are maintaining two separate networks. However, this is proving to be impractical and unworkable. Employees need internet-facing apps and web access to carry out their day-to-day tasks, and obliging them to use new, unfamiliar tools is inefficient and leads to errors. And maintaining two separate networks may be viable at head office, but is extremely if not prohibitively costly in branches and satellite offices.
The BUFFERZONE Solution
BUFFERZONE creates a virtual container on endpoints, within which internet-facing apps and programs (e.g. Microsoft Office, email, web chat, etc.) can run normally. However, if malware such as Qadars tries to establish a foothold, it is automatically trapped in the container and can neither compromise the endpoint nor migrate to the network. InfoSec teams can spring into action and wipe the container locally or remotely to eliminate the threat. They can also follow-up to investigate the breach to prevent future attacks (e.g. provide end user training, install updates and patches, etc.).
The Bottom Line
Qadars is sophisticated and scary, but really, this is just a new spin on an old worry. Cyber criminals have always targeted banks and financial sector institutions, and as long as their campaigns continue to be profitable, they will continue their attacks. So it is not a question of whether Qadars v4 will show up, but when – and how dangerous it will be. Organizations that rely on BUFFERZONE will be much better positioned than their unprotected counterparts when this inevitable development occurs.