Trojan program 'Neverquest' a new threat to online banking users, researchers say

  • 26 November 2013
  • 7 replies
  • 15704 views

Userlevel 7
Badge +54
Attackers could start to aggressively distribute this malware in the near future, Kaspersky Lab researchers warn.

A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.

The malware was first advertised on a private cybercrime forum in July, according to malware researchers from Kaspersky Lab who dubbed it Trojan-Banker.Win32/64.Neverquest.

"By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world," said Sergey Golovanov, malware researcher at Kaspersky Lab, Tuesday in a blog post. "This threat is relatively new, and cybercriminals still aren't using it to its full capacity. In light of Neverquest's self-replication capabilities, the number of users attacked could increase considerably over a short period of time."

Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).

However, this Trojan program also has some features that make it stand out.

Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.
 
Full Topic

7 replies

Userlevel 7
Oh nice one!  Nice and nasty that is.. certainly one to keep an eye out for.
Userlevel 7
Badge +6
I wish Webroot still deep deep-dives as detailed as this. I miss the PrevX blog =(
Good stuff still years later.
 
http://www.prevx.com/blog.asp
http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf
 
In the TDL3/4 days it was my lighthouse.
Userlevel 7
Badge +4
Thanks for posting, Jasper! This is definitely one we have our eye on. Maybe @ can even chime in.
 
And @ - we do still have a Threat Research blog where we showcase our findings: The Webroot Threat Blog
Marco Guiliani has even contributed to it. It just has a new location. If you have any feedback on it though, please share with @ . 
Userlevel 7
Badge +56
@ wrote:
Thanks for posting, Jasper! This is definitely one we have our eye on. Maybe @ can even chime in.
 
And @ - we do still have a Threat Research blog where we showcase our findings: The Webroot Threat Blog
Marco Guiliani has even contributed to it. It just has a new location. If you have any feedback on it though, please share with @ . 
Where is Marco's Blog located now if you read his past blog's that's the kind we like reading when he breaks down malware and shows his detailed analysis!
 
Daniel
Userlevel 7
Badge +4
 Marco has actually moved on, but his posts can be found here. I'm sure the current members of the Threat Blog team will be able to take this feedback and apply it to some of their posts moving forward. 
 
Nowadays, the team tends to focus on "Here's what we found and here's how to remove it" like this recent blog from @ . 🙂
Userlevel 7
Badge +6
The in-depth investigations and white-papers certainly gave PrevX street-cred and the brand recognition in the field it was targeting: professionals passionate about (and desperate for) finding ways to augment AV technology which was seriously falling behind. Discussions about the end of antivirus were mainstream. I think that's actually how I/we initially discovered PrevX. The early TDL3 days were a very scary time to be a defender.
 
I have no doubt that the team could dig deep but I understand it takes a whole lot of work with minimal audience unless you're busting open a big new thing. And if you're running a blog consumers are supposed to read then throwing out long screencaps of assembly are a great way to get them to stop reading. But I sure miss it a lot.
 
@ 
Marco left and started up his own company. Unfortunately doesn't seem to blog much anymore.
http://www.saferbytes.it/2012/10/08/common-preventive-and-reactive-approaches-to-mitigate-exploit-attacks/
 
 
Userlevel 7
Badge +56
Yes I knew Marco got his own Company but I thought it was still behind the Webroot label. But I see that has changed http://www.saferbytes.it/about-the-team/ great guy!
 
Daniel

Reply