The once prolific banking Trojan Neverquest received a major code revamp over the summer and is now armed with modifications that can more adeptly hijack a victim’s PC, inject code into webpages and steal credentials. The update represents a significant enough change to the malware that researchers have dubbed the latest samples Neverquest2.
Over the past several months Arbor Networks’ Security Engineering and Response Team (ASERT), along with other members of the security research community, have been tracking the slow and steady improvements added to Neverquest. There is consensus that the team behind the Trojan is gearing up for a new Neverquest2 assault.
Neverquest is a version of the Gozi Trojan that was responsible for stealing millions of dollars from victims’ bank accounts during its run several years ago. The Neverquest malware family, also known as Vawtrak, has been around for more than three years and has in the past been distributed by the Neutrino EK.
With this latest version, Arbor researchers note in a soon to be published technical analysis of the Trojan, that the team behind Neverquest2 has modified the malware to include plugins capable of delivering 266 new web-inject rules targeting specific type websites. Bank and financial websites make up the majority of sites targeted by Neverquest2 followed by: government agencies, wireless providers, payroll services and online public record aggregators. Notable, say ASERT researchers, is the addition of web-injection rules that now target Bitcoin commerce sites for the first time.
Neverquest2, as with Neverquest, is designed to kick into action on infected computers whenever a user visits one of the pre-programmed targeted sites. Next, the web-injections occur, inserting extra fields into targeted web forms in order to steal PINs and other sensitive information.
In 2014, several people were arrested and indicted in connection with using Neverquest in a web-injection attack that resulted in more than $1.5 million in fraudulent transactions on StubHub, the online ticket portal.
The Trojan has evolved over the summer. Last month, cybersecurity firm PhishLabs noted that Neverquest2 uses a new domain generation algorithm to produce a large number of domain names that can be used to link to its command-and-control server.
Another recent modification to Neverquest2, ASERT observed, has been the introduction of new modules to the Trojan adding new functionality. Two modules added to Neverquest2 over the summer include a “backconnect” and a certificate-stealing plugin.
The backconnect module (bc_32.dll) adds support for general purpose remote access to an infected client. It includes a VNC server that can be installed on the infected host, according to ASERT. “The infected computer allows an attacker to be logged into the computer and see the victim’s desktop and get access to webcam video and see the browsing history of the victim. They have full access to the victim’s PC and can run arbitrary CMD commands and interact with the Task Manager,” according to an ASERT researcher.
The second additional module (dg_32.dll) is a general purpose information stealing module that will hunt for and steal certificates stored on the victim’s infected computer. The dg_32.dll plugin “uses the CertOpenSystemStore() and related cryptographic APIs to gain access to certificate stores associated with private keys, certificate authorities, etc. It will scan the infected system for browser profiles, cookies, browsing history and browser cache entries,” according to ASERT’s report.
ASERT said the improved Neverquest2 can also remotely access an infected system to install the Pony Trojan, also referred to as Fareit.
Despite what researchers describe as a major overhaul for Neverquest, they say the primary goal for the Trojan remains the same: to modify the web page presented to the victim in order to steal account credentials or other sensitive information.
“This particular recent sample of Neverquest2 is a well-written, modular, professional grade malware platform,” wrote ASERT researchers. “(Neverquest2) does not appear to contain a great deal more actual functionality beyond what was already present in the some of the original Neverquest samples going all the way back to 2015. But its incremental changes, such as the recent adoption of a DGA-style mechanism for the specification of its C&C servers, indicates that the threat is still under active development.”