Malware of this family is distributed by cybercriminals using the Nuclear Exploit Kit and in spam messages. An exploit kit is used to look for exploits in programs installed on client computers.
When malware of this family is run on an infected computer, a downloader starts. The downloader determines whether the operating system is 32-bit or 64-bit and then downloads the appropriate version of the main module of the malware. The main module contacts a command-and-control server controlled by cybercriminals and downloads additional modules for performing various malicious actions.
The malware family supports the following add-on modules:
The malware encrypts the connection between the infected computer and the command-and-control server controlled by the cybercriminal. A pair of encryption algorithms (RSA + AES) is used for data transfer. The data transfer protocol is based on Concise Binary Object Representation (CBOR).
Geographical distribution of attacks by the Trojan-Banker.Win32.Qadars family
Top 10 countries with most attacked users (% of total attacks)
* Percentage among all unique Kaspersky users worldwide attacked by this malware