Researchers have found some recent modifications to the Neverquest banking Trojan that indicate the malware is no longer just targeting online banking sites, but also is going after social media, retailers and some game portals. The new changes also give the Trojan the ability to insert extra fields into targeted Web forms in order to steal PINs and other sensitive information and erase its tracks from the Web traffic it modifies.
Neverquest, also known as Vawtrak, is a newer version of the venerable Gozi Trojan that was responsible for stealing millions of dollars from various victims’ bank accounts during its run. The Neverquest iteration has been around for more than a year now and was designed to kick into action on an infected machine whenever a user visits one of the pre-programmed target sites, mainly online banks until recently. Neverquest is distributed through the Neutrino exploit kit, among other vectors. Now, the team behind Neverquest has modified the malware to give it some new capabilities, including new web-injects that allow the malware to modify Web traffic in real time.
“The newest configuration being pushed to bots on August 28, 2014, represents major changes made over the last 30 days. Vawtrak’s advanced webinject capabilities are similar to other state-of-the-art banking Trojans, allowing it to modify data in web traffic, even if it has been secured with encryption. Vawtrak uses this capability to steal login credentials, automate fraudulent transactions inside online banking sessions, and inject addition form fields into legitimate web pages to gather additional information, such as social security numbers or PINs, for use in banking fraud and identity theft,” said Don Jackson, director of threat intelligence at PhishLabs.
Along with the modifications to the malware’s functionality, the Neverquest team also has expanded the volume and variety of targets the Trojan goes after. Initially, the malware targeted banks almost exclusively. The more recent versions have expanded their world view significantly and now go after some social media sites, analytics sites and retailers.
“As one arm of the syndicate recently scaled back attacks on targets in Japan, China, Australia, New Zealand, and other Far East countries, the core Russian crew ramped up large scale attacks on U.S. targets beginning approximately three months ago. In July, samples from the Russian crew’s new operation were configured to use advanced webinjects attacks against as many as 64 targeted organizations’ web sites, including financials, social networks, online retailers (including StubHub), analytics firms, and game portals,” Jackson said.
Several people were arrested and indicted in July in connection with using Neverquest in an attack that resulted in more than $1.5 million in fraudulent transactions on StubHub, an online ticket portal.