Menu
Trojan program 'Neverquest' a new threat to online banking users, researchers say

Trojan program 'Neverquest' a new threat to online banking users, researchers say

Attackers could start to aggressively distribute this malware in the near future, Kaspersky Lab researchers warn

A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.

The malware was first advertised on a private cybercrime forum in July, according to malware researchers from Kaspersky Lab who dubbed it Trojan-Banker.Win32/64.Neverquest.

"By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world," said Sergey Golovanov, malware researcher at Kaspersky Lab, Tuesday in a blog post. "This threat is relatively new, and cybercriminals still aren't using it to its full capacity. In light of Neverquest's self-replication capabilities, the number of users attacked could increase considerably over a short period of time."

Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).

However, this Trojan program also has some features that make it stand out.

Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.

This helps attackers identify new financial websites to target and build scripts for the malware to interact with them.

Once attackers have the information they need to access a user's account on a website, they use a proxy server to connect to the user's computer via VNC and access the account directly. This can bypass certain account protection mechanisms enforced by websites because unauthorized actions like transferring money are done through the victim's browser.

"Of all of the sites targeted by this particular program, fidelity.com -- owned by Fidelity Investments -- appears to be the top target," Golovanov said. "This company is one of the largest mutual investment fund firms in the world. Its website offers clients a long list of ways to manage their finances online. This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims."

The methods used to distribute Neverquest are similar to those used to distribute the Bredolab botnet client, which became one of the most widespread malware on the Internet in 2010.

Neverquest steals log-in credentials from FTP (File Transfer Protocol) client applications installed on infected computers. Attackers then use these FTP credentials to infect websites with the Neutrino exploit pack, which then exploits vulnerabilities in browser plug-ins to install the Neverquest malware on the computers of users visiting those sites.

The Trojan program also steals SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients and sends them back to attackers so they can be used to send spam emails with malicious attachments. "These emails are typically designed to look like official notifications from a variety of services," Golovanov said.

In addition, Neverquest steals account log-in information for a large number of social networking websites and chat services accessed from infected computers. Those accounts could be used to spread links to infected websites with the intention to further spread Neverquest, even though Kaspersky Lab hasn't seen this method being used yet.

"As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent," Golovanov said. "We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft."


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securitydata breachAccess control and authenticationspywaremalwarekaspersky labfraud

Featured

Slideshows

Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Show Comments