Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Variant of Neverquest Banking Trojan Targets North America

Malware

Cybercriminals have been using a new variant of the Neverquest malware to target the customers of financial institutions, researchers at IBM Trusteer reported on Friday.

Malware

Cybercriminals have been using a new variant of the Neverquest malware to target the customers of financial institutions, researchers at IBM Trusteer reported on Friday.

The Neverquest banking Trojan was first spotted in November 2013. The threat is believed to be an evolution of the Snifula malware family.

Multiple new variants of Neverquest were released this summer by the malware’s authors, with most infections spotted in the United States and Japan. According to researchers, the latest variant of the threat has been used against financial institutions worldwide, but the largest number of infections has been seen in North America.

In November, IBM Trusteer detected nearly 4,000 infections in North America, and more than 1,000 infections in Europe. Interestingly, the new Neverquest isn’t used as much against organizations in Asia as previous variants only 100 infections were spotted last month.

The webinject configuration file used by the Trojan contains a list of 300 organizations whose customers are targeted. Most of the targets are financial institutions, but some of them are companies in the media, social networking and gaming sectors, experts said.

The dropper for the new Neverquest variant has been distributed through drive-by downloads that leverage exploit kits, the Chaintor downloader which retrieves the payload from the Tor anonymity network, and the Zemot Trojan downloader.

Experts determined that the installation process for the latest Neverquest is different compared to previous variants. Once it finds itself on a computer, the dropper drops the Neverquest DLL module and executes it using regsvr32.exe, a command-line tool that registers DLL files as command components in the registry.

In the next stage, the Trojan creates copies of itself in the %Appdata% or %Programdata% directory, depending on the operating system running on infected machine. Finally, the “CreateRemoteThread” function is utilized to inject the malicious code into legitimate Windows processes, such as “Explorer.exe.”

Advertisement. Scroll to continue reading.

The authors of Neverquest are leveraging two techniques to ensure that the threat can’t be removed easily by security solutions. First, the method known as “recurring runkey” is used to rewrite the Windows registry entry responsible for persistency, in case it’s removed. Second, the technique called “watchdog” is utilized to recreate important components as soon as they are terminated.

Another significant change observed by Trusteer researchers is related to command and control (C&C) communications. More precisely, the malware uses a new communication pattern with its C&C server.

The new Neverquest variant has the ability to capture video and screenshots, and conduct man-in-the-middle and man-in-the-browser attacks. The malware also has a Pony module, which allows cybercriminals to collect credentials for FTP, email clients, and Web browsers.

“We have seen Neverquest evolve and change its form of activity several times in the past year, and with each iteration, the reason for the change is to try to bypass security products. Security products that implement a naive approach will be bypassed with every change that Neverquest implements until the new modification is studied,” Ilya Kolmanovich, threat engineer at Trusteer, explained in a blog post.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.