Whoever is behind the development of the Neverquest (Snifula) Trojan has been busy.
A new variant has been found targeting more than 30 Japanese financial institutions, including 12 regional banks. The update builds upon the Trojan’s previous capability to target eight banks in the country, and continues the malware’s focus on the nation.
“Snifula’s new targets show that the malware is broadening its focus to smaller financial institutions, meaning that consumers should be wary of the threat regardless of which bank they use,” Symantec’s security response team noted. “We previously predicted that Snifula would be updated to target additional financial institutions and now it has happened. While monitoring Snifula’s activities, we came across a configuration file for a Snifula variant that lists 20 credit card sites and 17 online banking sites in Japan.”
As of July, Japan is home to 20 percent of the Snifula attacks. The United Kingdom (24 percent) and Germany (20 percent) make up the top three. The United States is fourth with 15 percent.
The updated Trojan is the latest evolution of the Snifula malware family, which Symantec researchers trace back to 2006. It features a number of capabilities many cybercriminals would love – keystroke logging, digital certificate theft, screenshot and video capture and remote access to name a few. Once a machine is infected, the malware contacts the command and control server and downloads a configuration file for man-in-the-browser attacks.
A configuration file is designed for each target country and contains two parts. The first is code injected into Web pages to display phony messages that typically ask the user to input information such as personal identification numbers or one-time passwords. The second part of the file tells the malware what types of sites it should monitor. The malware monitors the Web pages user visits and logs when any of the strings in the configuration file match part of a URL or Web page content.
While the configuration file for Japan contains more than 30 financial institutions, the file for Germany has 10 and the U.S. file contains a list of more than 50. The 12 regional banks in the configuration file for Japan are spread across 12 prefectures. Only one of these banks made the top 10 list in terms of total deposit balances from customers, the researchers explained. Instead, more than half of the targeted banks are at the bottom half of the overall list.
“This clearly shows that the targeted banks are picked regardless of the institution’s size,” according to Symantec. “We expect that other regional banks will likely be targeted by Snifula, so consumers should not let their guard down when using any online banking site.”