Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Neverquest Banking Trojan Updated to Include More Than 30 Financial Institutions in Japan

Whoever is behind the development of the Neverquest (Snifula) Trojan has been busy.

Whoever is behind the development of the Neverquest (Snifula) Trojan has been busy.

A new variant has been found targeting more than 30 Japanese financial institutions, including 12 regional banks. The update builds upon the Trojan’s previous capability to target eight banks in the country, and continues the malware’s focus on the nation. 

“Snifula’s new targets show that the malware is broadening its focus to smaller financial institutions, meaning that consumers should be wary of the threat regardless of which bank they use,” Symantec’s security response team noted. “We previously predicted that Snifula would be updated to target additional financial institutions and now it has happened. While monitoring Snifula’s activities, we came across a configuration file for a Snifula variant that lists 20 credit card sites and 17 online banking sites in Japan.”

As of July, Japan is home to 20 percent of the Snifula attacks. The United Kingdom (24 percent) and Germany (20 percent) make up the top three. The United States is fourth with 15 percent.

The updated Trojan is the latest evolution of the Snifula malware family, which Symantec researchers trace back to 2006. It features a number of capabilities many cybercriminals would love – keystroke logging, digital certificate theft, screenshot and video capture and remote access to name a few. Once a machine is infected, the malware contacts the command and control server and downloads a configuration file for man-in-the-browser attacks.

A configuration file is designed for each target country and contains two parts. The first is code injected into Web pages to display phony messages that typically ask the user to input information such as personal identification numbers or one-time passwords. The second part of the file tells the malware what types of sites it should monitor. The malware monitors the Web pages user visits and logs when any of the strings in the configuration file match part of a URL or Web page content. 

While the configuration file for Japan contains more than 30 financial institutions, the file for Germany has 10 and the U.S. file contains a list of more than 50. The 12 regional banks in the configuration file for Japan are spread across 12 prefectures. Only one of these banks made the top 10 list in terms of total deposit balances from customers, the researchers explained. Instead, more than half of the targeted banks are at the bottom half of the overall list. 

“This clearly shows that the targeted banks are picked regardless of the institution’s size,” according to Symantec. “We expect that other regional banks will likely be targeted by Snifula, so consumers should not let their guard down when using any online banking site.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.