Security Experts:

New Variant of Neverquest Banking Trojan Targets North America


Cybercriminals have been using a new variant of the Neverquest malware to target the customers of financial institutions, researchers at IBM Trusteer reported on Friday.

The Neverquest banking Trojan was first spotted in November 2013. The threat is believed to be an evolution of the Snifula malware family.

Multiple new variants of Neverquest were released this summer by the malware's authors, with most infections spotted in the United States and Japan. According to researchers, the latest variant of the threat has been used against financial institutions worldwide, but the largest number of infections has been seen in North America.

In November, IBM Trusteer detected nearly 4,000 infections in North America, and more than 1,000 infections in Europe. Interestingly, the new Neverquest isn't used as much against organizations in Asia as previous variants only 100 infections were spotted last month.

The webinject configuration file used by the Trojan contains a list of 300 organizations whose customers are targeted. Most of the targets are financial institutions, but some of them are companies in the media, social networking and gaming sectors, experts said.

The dropper for the new Neverquest variant has been distributed through drive-by downloads that leverage exploit kits, the Chaintor downloader which retrieves the payload from the Tor anonymity network, and the Zemot Trojan downloader.

Experts determined that the installation process for the latest Neverquest is different compared to previous variants. Once it finds itself on a computer, the dropper drops the Neverquest DLL module and executes it using regsvr32.exe, a command-line tool that registers DLL files as command components in the registry.

In the next stage, the Trojan creates copies of itself in the %Appdata% or %Programdata% directory, depending on the operating system running on infected machine. Finally, the "CreateRemoteThread" function is utilized to inject the malicious code into legitimate Windows processes, such as "Explorer.exe."

The authors of Neverquest are leveraging two techniques to ensure that the threat can't be removed easily by security solutions. First, the method known as "recurring runkey" is used to rewrite the Windows registry entry responsible for persistency, in case it's removed. Second, the technique called "watchdog" is utilized to recreate important components as soon as they are terminated.

Another significant change observed by Trusteer researchers is related to command and control (C&C) communications. More precisely, the malware uses a new communication pattern with its C&C server.

The new Neverquest variant has the ability to capture video and screenshots, and conduct man-in-the-middle and man-in-the-browser attacks. The malware also has a Pony module, which allows cybercriminals to collect credentials for FTP, email clients, and Web browsers.

"We have seen Neverquest evolve and change its form of activity several times in the past year, and with each iteration, the reason for the change is to try to bypass security products. Security products that implement a naive approach will be bypassed with every change that Neverquest implements until the new modification is studied," Ilya Kolmanovich, threat engineer at Trusteer, explained in a blog post.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.