{
	"id": "cc939672-01a8-4638-90db-6b12a1d94fe7",
	"created_at": "2026-04-06T00:17:29.3449Z",
	"updated_at": "2026-04-10T03:21:03.56372Z",
	"deleted_at": null,
	"sha1_hash": "4bf50f3f3c4c5f752f58067f5f11a908ebfb1285",
	"title": "Qadars – a banking Trojan with the Netherlands in its sights",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 952889,
	"plain_text": "Qadars – a banking Trojan with the Netherlands in its sights\r\nBy Jean-Ian Boutin\r\nArchived: 2026-04-02 11:38:17 UTC\r\nIntroduction\r\nA new banking Trojan has been making its round in the past few months. First publicly discussed by LEXSI, this\r\nbanking Trojan has been very active, infecting users throughout the world. Its modus operandi is banking fraud\r\nthrough web injection. While this approach has been present for a long time in various banking Trojan families, it\r\nis still effective. Win32/Qadars uses a wide variety of webinjects, some with Android mobile components, used to\r\nbypass online banking security and to gain access to user’s bank account. Usually, banking Trojans either target a\r\nbroad array of financial institutions or focus on a much smaller subset, usually institutions of which the user base\r\nis geographically close. Win32/Qadars fall in the second category: it pinpoints users in specific regions and uses\r\nwebinject configuration files tailored to the banks most commonly used by the victims.  As we have been\r\nmonitoring its evolution, we have seen six main countries affected by Win32/Qadars:\r\nNetherlands\r\nFrance\r\nCanada\r\nIndia\r\nAustralia\r\nItaly\r\nWhile most of the attacks directed to users in these countries were launched in waves, users in the Netherlands\r\nwere targeted throughout the monitoring period. This threat caught our attention because:\r\nIt is still very active after six  months and is continuously updated\r\nIt targets very specific regions of the world\r\nIt uses a wide range of webinjects, some of which were also used by another banking Trojan family in a\r\ncompletely unrelated campaign\r\nIt uses Android/Perkele to bypass mobile based two-factor authentication systems\r\nHistorical Perspective\r\nThe first sign we saw of this malware was in mid-May 2013. The following graph shows the daily detection for\r\nWin32/Qadars.\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 1 of 12\n\nFigure 1 : Win32/Qadars Daily Detections\r\nAlthough the first detections occurred in May, the first true wave of infections occurred in late June. Interestingly,\r\nthe authors seem to have been through a testing phase since the next detection spike was seen weeks later with\r\nbarely any detections in between. Also, Italian users were mainly targeted in the first wave while the subsequent\r\ncampaign mainly targeted Dutch users. We believe that this kit is either kept private or being sold only to selected\r\npeople. We have seen a handful of different campaigns, but most of the infections we’ve analyzed are from the\r\nsame campaign and thus share the same command and control (C\u0026C) servers.\r\nWe can track the evolution of the malware through the build number that is embedded in the executable. The first\r\nversion we saw was 1.0.0.0 and the latest one is 1.0.2.7. The steady release of new versions indicates that this\r\nmalware is in constant maintenance and development. The following graphs shows the date each version was first\r\nseen by our telemetry data.\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 2 of 12\n\nFigure 2 : Build Number Evolution Throughout the Monitoring Period\r\nTechnical Analysis\r\nWin32/Qadars uses a Man-in-the-Browser (MitB) scheme to perform financial fraud. Just like Win32/Spy.Zbot,\r\nWin32/Qadars injects itself into browser processes to hook selected APIs. Using these hooks, it is able to inject\r\ncontent into pages viewed by the user. This injected content can be anything, but is usually a form intended to\r\nharvest user credentials or JavaScript designed to attempt automatic money transfers without the user’s knowledge\r\nor consent. Webinject configuration files are downloaded from the C\u0026C server and contain the URL for the target\r\nwebpage, the content that should be injected into the webpage and finally where it should be injected. This\r\nconfiguration file format is very similar to all the other banking Trojans out there. Once downloaded, the\r\nconfiguration is kept AES-encrypted in the computer’s registry keys. Currently, Win32/Qadars is able to hook two\r\ndifferent browsers so as to perform content injection: Firefox and Internet Explorer. There is some stub for\r\nChrome in the code, so we might see support for this browser in the future.\r\nOnce the malware is installed on a machine, the bot herder can control his bots through different commands, most\r\nof which are listed in the table below.\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 3 of 12\n\nTable 1: Commands and Description\r\nOne addition that was made in version 1.0.2.7 is an FTP credential stealer. It supports a wide array of FTP clients\r\nand tries to open up their configuration files and steal the user’s credentials. Interestingly, in order to steal user\r\ncredentials, it integrates some known static passwords that some of these FTP clients use by default to encrypt\r\ntheir configuration file. This behavior is not new and has already been seen in Win32/PSW.Fareit (Pony Loader),\r\nfor example.\r\nNetwork Communications\r\nWin32/Qadars uses AES in ECB mode to encrypt its network communications. Before sending a message, the\r\nclient will generate a random string of nine (9) characters and will use its MD5 hash as the AES key to encrypt it.\r\nIt will also generate another random string which it will embed in the message sent to the server. This key will be\r\nused by the server to encrypt its response. To securely transfer the AES key used to encrypt the message to the\r\nserver, the client will further encrypt it, two characters at a time, and append it to the message. Finally, the overall\r\nmessage is encoded using base64 and sent to the server. The following figure depicts this process and lists the\r\ndifferent fields present in the messages sent to the server.\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 4 of 12\n\nFigure 3 : Client-to-Server Communication\r\nThe server response is encrypted using the server key embedded in the client request. It also appends the MD5\r\ndigest of the message as an error detection mechanism. The following figure shows the structure of the server\r\nresponse.\r\nFigure 4 : Server-to-Client Communication\r\nExamining the different message IDs used by Win32/Qadars tells us more about its functionalities. The table\r\nbelow lists most of the different message IDs and their description.\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 5 of 12\n\nTable 2 : Message IDs and Description\r\nKnowing the network protocol used by Win32/Qadars greatly enhanced our ability to track the botnet and study its\r\nbehavior.\r\nInfection Vector\r\nWin32/Qadars' webinject configuration file changes frequently and targets specific institutions. To maximize their\r\nsuccess with these webinjects, the malware authors try to infect users in specific regions of the world. In the\r\nfollowing section, we will show which countries were the most targeted, but let’s first take a look at the infection\r\nvectors the malware author chose so as to target specific countries. From May to October, it is not clear how the\r\nmalware was spreading. Through our telemetry system, we found several hints that they might have bought\r\ncompromised hosts in the countries they were interested in. We draw this conclusion because all of the\r\ncompromised computers we analyzed also had Trojan downloaders and other infamous Pay-per-Install (PPI)\r\nmalware such as Win32/Virut.\r\nBeginning in November, we saw that Win32/Qadars is now also being distributed through the Nuclear Exploit Kit.\r\nBelow are a couple of URLs that were used to distribute it at the beginning of November. The Nuclear Exploit Kit\r\npattern used at the time is clearly visible:\r\nhxxp://nb7wazsx[.]briefthink[.]biz:34412/f/1383738240/3447064450/5\r\nhxxp://o3xzf[.]checkimagine[.]biz:34412/f/1383770160/1055461891/2\r\nhxxp://pfsb77j2[.]examinevisionary[.]biz:34412/f/1383780180/1659253748/5\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 6 of 12\n\nBoth of these infection vectors allow the bot masters to choose where the computers they compromise are located.\r\nRegional Targets\r\nWin32/Qadars has focused mainly on six countries up until now: the Netherlands, France, Canada, Australia, India\r\nand Italy. The following graph shows the geographical distribution of the detection in the period May 2013 to\r\nNovember 2013.\r\nFigure 5 : Detection Distribution\r\nWin32/Qadars clearly seeks to infect Dutch computers as 75% of detections come from this region. Analysis of\r\nthe times when it was detected show that there were several infection waves.\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 7 of 12\n\nFigure 6: Win32/Qadars Daily Detections by Countries\r\nDetections in the Netherlands always show the highest prevalence, followed by detections reported in France. The\r\ncase of Canada is particularly interesting as all of the detections in this country occurred in the last fifteen (15)\r\ndays of October. Of course, the webinject configuration file downloaded by the bots at this time contains code that\r\ntargeted the main Canadian financial institutions.\r\nThe webinject downloaded by the bots targets financial institutions in the 6 countries mentioned above with\r\nvarying degree of sophistication. Some webinjects will just collect extra information whenever a user tries to login\r\nto his bank’s secure website. This is done through the injection of an extra form or elements asking the user for\r\nprivate information whenever he logs into his bank. An example form is shown below.\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 8 of 12\n\nFigure 7 : Phishing-like Webinject\r\nOther webinjects are much more complicated and can perform transactions automatically and bypass the two-factor authentication systems implemented by banks.\r\nWebinjects\r\nThe webinjects used by banking Trojans can be obtained in several different ways. They can be directly coded by\r\nthe cybercriminals who operate the botnet, or they can be bought. There are several coders offering to sell public\r\nwebinjects or to produce them tailored to the customer’s wishes. There are many such offers and some will even\r\nask for a different price depending on the features needed. When analyzing webinjects used by Win32/Qadars, it is\r\nclear that they were not all written by the same people as the techniques and coding styles are quite different. In\r\nfact, we believe that they were all bought on various underground forums. One webinject platform they use has a\r\ndistinctive way of fetching external content such as scripts and images. The URL in the injected JavaScript will\r\nlook something like this:\r\nhxxp://domain.com/gate.php?data=cHJvamVjdD1tb2ItaW5nbmwtZmFuZCZhY3Rpb249ZmlsZSZpZD1jc3M=\r\nThe “data=” portion of the URL is base64 encoded. When decoded, this string reads “project=mob-ingnl-fand\u0026action=file\u0026id=css”, which clearly gives away the target as well as which file it is trying to retrieve.\r\nInterestingly, we found the exact same kind of syntax in webinjects used by a campaign targeting Czech banks and\r\nusing Win32/Yebot (alias Tilon) as the banking Trojan. Although we found no trace of this particular webinject\r\nplatform in the underground forums we looked at, we did find several other offerings.\r\nAutomatic Transfer System (ATS)\r\nATS, now commonly used in banking Trojans, is a term applied to webinjects that aim to initiate an automatic\r\ntransfer once a user accesses his bank account through a compromised computer. It will usually contain code to\r\nautomatically find the account with the highest amount and initiate a transfer to an attacker/money mule controlled\r\naccount. The code will usually contain some tricks (read social engineering) to defeat two-factor authentication\r\nsystems that are sometimes imposed by banks when performing transfers. We have found several coders in\r\nunderground forums selling public or private ATS for several banks around the world. In the underground forums,\r\na “public” webinject is one that is sold to anyone by the vendor while a “private” one is customized to the buyer’s\r\nneed and is usually not resold by the coder. In general, buyers of private webinjects will get the source code and\r\nthe rights to redistribute it to others. We know that Win32/Qadars authors are buying some webinjects because we\r\nfound one public ATS that they had integrated into their webinject configuration file. Like many other offerings,\r\nthis coder sells, along with the webinject, an administrator panel (shown below) to let the cyber criminals control\r\nseveral aspects of how the automatic transfer should be carried out.\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 9 of 12\n\nFigure 8 : ATS Webinject Administration Panel\r\nThis particular offering is targeting a French bank and the coder claims that it can bypass the SMS two-factor\r\nauthentication system put in place by the bank to prevent fraudulent transfers.\r\nPerkele\r\nIn several ATS we have analyzed, like the one described above, the malware must intercept an SMS so to make\r\nthe transfer go through. This is necessary because the bank sends a transaction authorization number (TAN) to the\r\nuser’s mobile whenever he initiates a money transfer. The user must input this TAN in his browser before the\r\ntransfer is authorized. The usage of a mobile component by a banking Trojan is not new. Zeus-in-the-mobile, or\r\nZitMo, and others have been around for quite some time. What is particularly interesting in this case is that several\r\nwebinject coders are actually bundling such mobile malware with their webinjects. This means that a bot master\r\ncan now buy very complex webinjects that are not only JavaScript code, but also contain an administration panel\r\nand some mobile malware customized to the targeted bank.\r\nIn the case of Win32/Qadars, the mobile component we’ve seen bundled with the webinject is Android/Perkele,\r\nmobile malware that can intercept SMS messages and forward them to the cybercriminals. This kit has already\r\nbeen profiled by Brian Krebs. The webinject takes care of everything in this case: when the user logs into his bank\r\naccount, content is injected into his browser asking him to specify his mobile brand and to download a “security”\r\napplication onto his mobile phone. Since the user sees this content while he is accessing his account, he is more\r\nlikely to believe that this message is genuine and that the application truly comes from his bank. In one sample we\r\nanalyzed, once the banking application is installed on the phone, it sends an SMS message to a phone number in\r\nthe Ukraine.\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 10 of 12\n\nFigure 9 : Screenshot of Android/Perkele Targeting a French Banking Institution\r\nAndroid/Perkele supports the Android, Blackberry and Symbian operating systems, but we have seen only the\r\nAndroid component used in conjunction with Win32/Qadars. Once the application is installed on the user’s phone,\r\nthe automatic transfer can be attempted, since the SMS containing the required TAN can be obtained by the\r\nfraudster. This webinject offering is a good example of malware commoditization. The botnet master can now buy\r\na complete solution that will allow him to conduct automatic transfers and bypass two-factor authentication\r\nsystems in a totally automated fashion. All he needs to provide is a way to inject content into the user’s browser.\r\nThis functionality is implemented in all modern banking Trojans.\r\nThe mobile malware Android/Perkele, once installed on a user mobile, is used by fraudster to intercept SMS\r\nmessages and hide them from the user. It is interesting to see that Google is taking a proactive stance in order to\r\ndefeat this kind of threat. The newest Android OS, dubbed KitKat, has changed how the applications on the phone\r\ncan receive SMS messages and hide them from the user. It will now be much more complicated to hide SMS\r\nbecause there is only one application that will be able to do that, and by default that is the system messaging\r\napplication. Thus, users infected by threats like Android/Perkele will have a much better chance of spotting the\r\ninfection if they are running the latest android OS.\r\nConclusion\r\nWe have seen lately a resurgence of new banking Trojans being spread in the wild. Win32/Napolar,\r\nWin32/Hesperbot and Win32/Qadars have all appeared in the last few months. It is probably no coincidence that\r\nthere is now a plethora of banking Trojan source code available following the leaks of Win32/Zbot and\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 11 of 12\n\nWin32/Carberp source code. Another interesting development to watch for is the thriving webinject coder scene.\r\nThese people are offering ever more sophisticated pieces of code that can bypass a wide range of two-factor\r\nauthentication systems. It will be interesting to see whether at some point the market matures enough for us to see\r\nthe emergence of popular webinject kits, in much the same way as happened in the exploit kit scene.\r\nSpecial thanks to Hugo Magalhães for his contribution to this analysis.\r\nSHA1 hashes\r\nWin32/Qadars (Nuclear Pack):    F31BF806920C97D9CA8418C9893052754DF2EB4D\r\nWin32/Qadars (1.0.2.3):         DAC7065529E59AE6FC366E23C470435B0FA6EBBE\r\nAndroid/Perkele:            B2C70CA7112D3FD3E0A88D2D38647318E68f836F\r\nSource: https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nhttps://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/"
	],
	"report_names": [
		"qadars-a-banking-trojan-with-the-netherlands-in-its-sights"
	],
	"threat_actors": [],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4bf50f3f3c4c5f752f58067f5f11a908ebfb1285.pdf",
		"text": "https://archive.orkl.eu/4bf50f3f3c4c5f752f58067f5f11a908ebfb1285.txt",
		"img": "https://archive.orkl.eu/4bf50f3f3c4c5f752f58067f5f11a908ebfb1285.jpg"
	}
}