Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Neverquest Banking Trojan Updated to Include More Than 30 Financial Institutions in Japan

Whoever is behind the development of the Neverquest (Snifula) Trojan has been busy.

Whoever is behind the development of the Neverquest (Snifula) Trojan has been busy.

A new variant has been found targeting more than 30 Japanese financial institutions, including 12 regional banks. The update builds upon the Trojan’s previous capability to target eight banks in the country, and continues the malware’s focus on the nation. 

“Snifula’s new targets show that the malware is broadening its focus to smaller financial institutions, meaning that consumers should be wary of the threat regardless of which bank they use,” Symantec’s security response team noted. “We previously predicted that Snifula would be updated to target additional financial institutions and now it has happened. While monitoring Snifula’s activities, we came across a configuration file for a Snifula variant that lists 20 credit card sites and 17 online banking sites in Japan.”

As of July, Japan is home to 20 percent of the Snifula attacks. The United Kingdom (24 percent) and Germany (20 percent) make up the top three. The United States is fourth with 15 percent.

The updated Trojan is the latest evolution of the Snifula malware family, which Symantec researchers trace back to 2006. It features a number of capabilities many cybercriminals would love – keystroke logging, digital certificate theft, screenshot and video capture and remote access to name a few. Once a machine is infected, the malware contacts the command and control server and downloads a configuration file for man-in-the-browser attacks.

A configuration file is designed for each target country and contains two parts. The first is code injected into Web pages to display phony messages that typically ask the user to input information such as personal identification numbers or one-time passwords. The second part of the file tells the malware what types of sites it should monitor. The malware monitors the Web pages user visits and logs when any of the strings in the configuration file match part of a URL or Web page content. 

While the configuration file for Japan contains more than 30 financial institutions, the file for Germany has 10 and the U.S. file contains a list of more than 50. The 12 regional banks in the configuration file for Japan are spread across 12 prefectures. Only one of these banks made the top 10 list in terms of total deposit balances from customers, the researchers explained. Instead, more than half of the targeted banks are at the bottom half of the overall list. 

“This clearly shows that the targeted banks are picked regardless of the institution’s size,” according to Symantec. “We expect that other regional banks will likely be targeted by Snifula, so consumers should not let their guard down when using any online banking site.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.