Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Neverquest Banking Trojan Updated to Include More Than 30 Financial Institutions in Japan

Whoever is behind the development of the Neverquest (Snifula) Trojan has been busy.

Whoever is behind the development of the Neverquest (Snifula) Trojan has been busy.

A new variant has been found targeting more than 30 Japanese financial institutions, including 12 regional banks. The update builds upon the Trojan’s previous capability to target eight banks in the country, and continues the malware’s focus on the nation. 

“Snifula’s new targets show that the malware is broadening its focus to smaller financial institutions, meaning that consumers should be wary of the threat regardless of which bank they use,” Symantec’s security response team noted. “We previously predicted that Snifula would be updated to target additional financial institutions and now it has happened. While monitoring Snifula’s activities, we came across a configuration file for a Snifula variant that lists 20 credit card sites and 17 online banking sites in Japan.”

As of July, Japan is home to 20 percent of the Snifula attacks. The United Kingdom (24 percent) and Germany (20 percent) make up the top three. The United States is fourth with 15 percent.

The updated Trojan is the latest evolution of the Snifula malware family, which Symantec researchers trace back to 2006. It features a number of capabilities many cybercriminals would love – keystroke logging, digital certificate theft, screenshot and video capture and remote access to name a few. Once a machine is infected, the malware contacts the command and control server and downloads a configuration file for man-in-the-browser attacks.

A configuration file is designed for each target country and contains two parts. The first is code injected into Web pages to display phony messages that typically ask the user to input information such as personal identification numbers or one-time passwords. The second part of the file tells the malware what types of sites it should monitor. The malware monitors the Web pages user visits and logs when any of the strings in the configuration file match part of a URL or Web page content. 

While the configuration file for Japan contains more than 30 financial institutions, the file for Germany has 10 and the U.S. file contains a list of more than 50. The 12 regional banks in the configuration file for Japan are spread across 12 prefectures. Only one of these banks made the top 10 list in terms of total deposit balances from customers, the researchers explained. Instead, more than half of the targeted banks are at the bottom half of the overall list. 

“This clearly shows that the targeted banks are picked regardless of the institution’s size,” according to Symantec. “We expect that other regional banks will likely be targeted by Snifula, so consumers should not let their guard down when using any online banking site.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.