A new banking malware has been seen targeting French, Dutch and Indian banks at least. It is named “Qadars” by and Sophos.

It operates the same way as ZeuS (from which it borrowed some code), injecting code in explorer.exe to hook functions in order to steal information from the browser before it is encrypted and sent to banking websites (i.e. Man-in-the-Browser). It also steals personal certificates and cookies from Internet Explorer and Firefox.

One difference with its old ZeuS cousins relies in the way it launches itself and in the webinjects it retrieves.

When launched, Qadars recursively looks for folders inside the %APPDATA% directory, chooses randomly a subfolder, going to a maximum depth of 4 directories, and then copies itself with a random name of seven characters in the last chosen directory. As an example, that could be %APPDATA%\Mozilla\Firefox\Profiles\3lqhdreh.default\xotiefs.exe. Therefore, it is well hidden in an existing directory tree, making it difficult to spot by a routine check, whereas it is easy to see the random directory names generated by ZeuS or Citadel.

To ensure it restarts upon reboot, it adds a scheduled task for the current user that launches the copied executable when the victim opens its session. To be stealthier, the .job file in the %Windir%\Tasks directory is hidden and thus is not visible when displaying existing scheduled tasks in Windows explorer.

As ZeuS, it functions with a configuration which defines the targeted URL s in which to inject specific code. This configuration is stored in the registry, XORed and encrypted with AES. It thus does not appear in clear text when opened manually. Amusingly, the configuration of the injections spotted in this campaign starts with the string “INJECT IS GOOD” followed by a number, which may be the version number of the configuration.

Another interesting thing in this campaign is the injected code itself. When a targeted URL is visited by the victim, the injected code is retrieved from a remote server. The request to that server follows this pattern:

“ maliciousdomain/gate.php?data=<base64 encoded string> ”

The encoded string contains a variable named “project”, which is set to “log-bankname” or “mob-bankname”. In the former case, the code injected will be a quite traditional feature to steal the victim’s online banking credentials, while the latter case is much more audacious. After the victim gets authenticated, a message is displayed explaining that as more and more fraudsters manage to intercept the SMS authentication codes sent by banks to their clients, the bank has developed a smartphone application to prevent such interceptions. A form is displayed asking for the victim’s phone number and phone model, which causes a SMS with a link to download the mobile application to be sent to the victim. To ensure that the victim installs the application, the injected code prevents him to access his account until an activation code, given by the application, is inputted.

Of course, the mobile application is fraudulent and precisely allows the attacker to obtain the codes sent by the bank after specific sensitive operations such as adding a wire transfer beneficiary.

It is different from Zitmo, because it allows messages or calls to be filtered and redirected based on content or sender/caller data. The fraudsters can remotely control the command parameters by sending an encoded SMS to the victim’s number.

This version will maybe be named “Q”itmo” (thanks for the suggestion). The application we analyzed works on Android mobile phones, but the injected code suggests there is also a BlackBerry version.

In the end, Qadars is a banking malware performing a usual Man-in-the-Browser attack to steal online credentials and lure the user to install a fraudulent SMS-stealing mobile application. It shares some code with ZeuS, but is using some other tricks to avoid being caught. The author seems to be distracted, as it sometimes ships its executable with a PDB file, easing the reverse engineering of the file, and we suspect that he submitted once an unpacked version of his malware to the