In January we released an in-depth technical white paper that pulls apart the Qadars Banking Trojan, a threat that targets financial institutions, POS systems, and even popular online gaming sites.
There was a great deal of information, including just how much effort our R.A.I.D. team had to put into reverse-engineer the malware, which is why we wanted to further highlight exactly why this trojan is such a threat.
Not only is Qadars technically advance, but it uses various methods to protect itself from reverse-engineering or altering it. In the clip below, Jason Davison, PhishLabs Malware Researcher highlights why the modular features of the malware make it a true threat.
Qadars loader module is where a victim typically executes the malware and sets everything in motion. The loader is responsible for downloading and running an installer module and base module. Once downloaded, the loader will delete itself, and all subsequent times Qadars is run, it’s from the installer module.
However, the base module is responsible for downloading subsequent modules, including a tor module that facilitates communication with a .onion command and control server. This makes it difficult to identify what communication with the command and control server looks like because it’s on a .onion domain. As such, this is a clear sign that the threat actors don’t want anyone messing with their trojan.
Like the installer and base modules, there are additional ways Qadars protects itself. It even uses 128-bit encryption in its communication to ensure traffic is obfuscated and goes unmodified. While Qadars prefers and defaults use to the .onion domain, which in turn makes it incredibly hard to actually shut down, there are two additional failsafes. If Qadars can’t communicate with the .onion server, it will then use Dynamic C2 retrieves or a domain generation algorithm that will generate a list of domains. However, ideally, Qadars wants .onion because it is very hard to analyze and very difficult to have anything shut down on the domain.