Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
HQWar: the higher it flies, the harder it drops
Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
HQWar: the higher it flies, the harder it drops
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 12,842
Threads: 8,855
Thanks Received: 8,750 in 6,909 posts
Thanks Given: 9,642
Joined: 12 September 18
#1
Bug  03 October 19, 07:14
Quote:
[Image: hqwar-the-higher-it-flies-the-harder-it-drops-1.png]

Mobile dropper Trojans are one of today’s most rapidly growing classes of malware. In Q1 2019, droppers are in the 2nd or 3rd position in terms of share of total detected threats, while holding nearly half of all Top 20 places in 2018. Since the droppers’ main task is to deliver payload while sidestepping the protective barriers, and their developers are fully bent on countering detection, this is probably one of the most dangerous classes of malware.

One of the most dangerous and widely spread families of Trojan droppers is Trojan-Dropper.AndroidOS.Hqwar. Originally created as a MaaS infrastructure, today Hqwar is used for both small-scale attacks and big ones affecting thousands of users all over the world.

The very first versions of Hqwar saw the light in early 2016, getting quite popular by the end of the same year. It peaked in Q3 2018, when substantial numbers of financial malware payloads would come “packaged” with this dropper. Yet, beginning Q4 2018, we observe its decline. The likely reason is the tool is not updated frequently enough by its author, causing a customer outflow.

The very first Trojan packed with Hqwar was a piece of ransomware targeting Russian users. This is how this disgrace introduced itself to the victims, impersonating the Ministry of Internal Affairs (note that Hqwar was built by a Russian-speaking author, and many of its clients prey on Russian users).

Now one can say that only the lazy did not use Hqwar: Kaspersky’s collection of viruses features over 200,000 Trojans packed using Hqwar. When decrypting and unpacking these malicious objects, we found that almost 80% of them are financial threats, while nearly one third represent the banking Trojan family of Faketoken. In fact, it was the first ever banking Trojan whose authors began using Hqwar.

The Top 10 list of payloads most often bundled with Hqwar features such widely distributed Trojans as Asacub, Marcher and Svpeng. On several occasions, the dropper was carrying Korean bankers of the Wroba family and such famous SMS Trojans as Opfake and Fakeinst. But their authors seem to have used Hqwar just to try things out, so to speak: these “matryoshkas” did not gain much popularity. All in all, we know of 22 families of different Trojans packed with Hqwar, which shows how much interest cybercriminals take in droppers.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
CrystalDiskInfo 9.3.0
Changes in 9.3.0: ...harlan4096 — 06:59
Microsoft OneDrive on the web is adding ...
Microsoft has anno...harlan4096 — 06:08
Vivaldi Stable 6.7 (3329.21)
Vivaldi Stable 6.7...harlan4096 — 17:09
Mozilla Firefox Browser 125.0.3
Mozilla Firefox Br...harlan4096 — 15:17
ThunderSoft Photo Gallery Creator [for ...
ThunderSoft Photo Ga...ismail — 09:51

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>