Neverquest Banking Malware Gearing Up For Holiday Season

A self-replicating banking Trojan called Neverquest has attempted to infect thousands of victims who have accounts with any of more than 100 banks. Researchers expect the malware to ramp up infection attempts over the holidays.

Banking malware with a particular liking for Fidelity Investments has infected several thousand victims worldwide, and has the capacity for much greater harm, in particular during the upcoming holidays, according to researchers at Kaspersky Lab.

A report released today describes the threat posed by a Trojan called Neverquest, which is self-replicating malware programmed to activate when a victim visits any of more than 100 banks and financial institutions. The malware sends credentials and other personal information back to the attackers, who then via a VNC connection established by the Trojan, are able to conduct transactions on the victim’s behalf and wipe accounts clean.

“This threat is relatively new, and cybercriminals still aren’t using it to its full capacity,” wrote researcher Sergey Golovanov. “In light of Neverquest’s self-replication capabilities, the number of users attacked could increase considerably over a short period of time.”

The threat was spotted in July on an underground forum where the attackers had posted the Trojan for sale, boasting that it could be used to attack 100 banks by plugging in code onto websites viewed with Internet Explorer or Firefox.

The attackers use a dropper to infect machines with Neverquest, formally known as Trojan-Banker.Win32/64.Neverquest. The dropper puts a DLL on a machine which initializes Neverquest. If this is a first-time infection, a VNC server is launched that connects to the attacker’s server which sends back an encrypted configuration file that includes malicious javascript and a list of banking websites along with corresponding attack scripts for each. The list includes large international banks and payment systems, primarily in Germany, Italy, Turkey and India.

When a user on an infected machine visits one of the sites on the list, the malware controls the browser’s connection with the server. Malicious users can obtain usernames and passwords entered by the user, and modify webpage content,” Golovanov wrote. “All of the data entered by the user will be entered onto the modified webpage and transmitted to malicious users.”

Illicit transactions are conducted over a SOCKS server that is remotely connected to the infected computer via VNC, Golovanov wrote. Stolen funds are either wired directly to the attackers, or to other stolen accounts.

After gaining access to a user’s account with an online banking system, cybercriminals use a SOCKS server and connect remotely to the infected computer via a VNC server, then conduct transactions and wire money from the user to their own accounts, or — in order to keep the trail from leading directly to them — to the accounts of other victims.

The list of targeted banks can be expanded, Golovanov said. The configuration file also comes equipped with a list of keywords related to banking activity, i.e., “available balance,” “checking account,” “account summary,” and many others, that if show in a webpage, the malware will send the page back to the attackers. The attackers may then use that page to develop attacks specific to the bank in question if it’s not already on the list, which is then added back to the configuration file for future infection attempts. Most of the attacks so far, Golovanov wrote, have been against Fidelity customers.

As for Neverquest’s replication capabilities, it moves about similarly to Bredolab, a botnet blamed for millions of infections worldwide via a three-pronged approach. Neverquest uses any of dozens of programs to access FTP servers in order to steal credentials that are used to distribute the malware via the Neutrino Exploit Kit. Also, it can harvest data from victims’ email clients during SMTP/POP sessions, including credentials, which are then used to spam out the Neverquest dropper. It is also designed to harvest credentials from social networks, including Facebook,, Twitter, Amazon Web Services and many others to spread links via social networks to infected online resources.

“As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent,” Golovanov wrote. “We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft.”

Suggested articles