Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Neverquest Banking Trojan Updated to Include More Than 30 Financial Institutions in Japan

Whoever is behind the development of the Neverquest (Snifula) Trojan has been busy.

Whoever is behind the development of the Neverquest (Snifula) Trojan has been busy.

A new variant has been found targeting more than 30 Japanese financial institutions, including 12 regional banks. The update builds upon the Trojan’s previous capability to target eight banks in the country, and continues the malware’s focus on the nation. 

“Snifula’s new targets show that the malware is broadening its focus to smaller financial institutions, meaning that consumers should be wary of the threat regardless of which bank they use,” Symantec’s security response team noted. “We previously predicted that Snifula would be updated to target additional financial institutions and now it has happened. While monitoring Snifula’s activities, we came across a configuration file for a Snifula variant that lists 20 credit card sites and 17 online banking sites in Japan.”

As of July, Japan is home to 20 percent of the Snifula attacks. The United Kingdom (24 percent) and Germany (20 percent) make up the top three. The United States is fourth with 15 percent.

The updated Trojan is the latest evolution of the Snifula malware family, which Symantec researchers trace back to 2006. It features a number of capabilities many cybercriminals would love – keystroke logging, digital certificate theft, screenshot and video capture and remote access to name a few. Once a machine is infected, the malware contacts the command and control server and downloads a configuration file for man-in-the-browser attacks.

A configuration file is designed for each target country and contains two parts. The first is code injected into Web pages to display phony messages that typically ask the user to input information such as personal identification numbers or one-time passwords. The second part of the file tells the malware what types of sites it should monitor. The malware monitors the Web pages user visits and logs when any of the strings in the configuration file match part of a URL or Web page content. 

While the configuration file for Japan contains more than 30 financial institutions, the file for Germany has 10 and the U.S. file contains a list of more than 50. The 12 regional banks in the configuration file for Japan are spread across 12 prefectures. Only one of these banks made the top 10 list in terms of total deposit balances from customers, the researchers explained. Instead, more than half of the targeted banks are at the bottom half of the overall list. 

“This clearly shows that the targeted banks are picked regardless of the institution’s size,” according to Symantec. “We expect that other regional banks will likely be targeted by Snifula, so consumers should not let their guard down when using any online banking site.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.