Trojan-Banker.Win32.Qadars

Malware of this family is distributed by cybercriminals using the Nuclear Exploit Kit and in spam messages. An exploit kit is used to look for exploits in programs installed on client computers.

When malware of this family is run on an infected computer, a downloader starts. The downloader determines whether the operating system is 32-bit or 64-bit and then downloads the appropriate version of the main module of the malware. The main module contacts a command-and-control server controlled by cybercriminals and downloads additional modules for performing various malicious actions.

The malware family supports the following add-on modules:
• browser injector
• keylogger
• tor
• vnc
• backconnect
The main module also downloads configuration files for each add-on module. For example, for targeting a browser, the malware downloads the code that it will insert into the web pages opened in the browser.

The malware encrypts the connection between the infected computer and the command-and-control server controlled by the cybercriminal. A pair of encryption algorithms (RSA + AES) is used for data transfer. The data transfer protocol is based on Concise Binary Object Representation (CBOR).
In addition, the Trojan-Banker.Win32.Qadars family uses the Domain Generation Algorithm (DGA) to conceal the IP address of the command-and-control server.

Geographical distribution of attacks by the Trojan-Banker.Win32.Qadars family

Geographical distribution of attacks during the period from 03 June 2015 to 03 June 2016

Top 10 countries with most attacked users (% of total attacks)

* Percentage among all unique Kaspersky users worldwide attacked by this malware