{"id":3247,"date":"2013-11-29T10:00:33","date_gmt":"2013-11-29T15:00:33","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=3247"},"modified":"2020-02-26T10:45:52","modified_gmt":"2020-02-26T15:45:52","slug":"neverquest-trojan-built-to-steal-from-hundreds-of-banks","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/neverquest-trojan-built-to-steal-from-hundreds-of-banks\/3247\/","title":{"rendered":"Neverquest Trojan: Built to Steal from Hundreds of Banks"},"content":{"rendered":"<p><a href=\"https:\/\/threatpost.com\/neverquest-banking-malware-gearing-up-for-holiday-season\/103036\" target=\"_blank\" rel=\"noopener nofollow\">Neverquest<\/a> is a new <a href=\"https:\/\/www.kaspersky.com\/blog\/the-big-four-banking-trojans\/\" target=\"_blank\" rel=\"noopener nofollow\">banking trojan<\/a> that spreads itself via social media, email and file transfer protocols. It possesses the capacity to recognize hundreds of online banking and other financial sites. When an infected user attempts to login to one of the sites the trojan reacts by activating itself and pilfering its victim\u2019s credentials.<\/p>\n<p>Neverquest then relays the stolen credentials back to a command and control server. Once there, the attackers can use the credentials to log into affected accounts via virtual network computing (<a href=\"http:\/\/en.wikipedia.org\/wiki\/Vnc\" target=\"_blank\" rel=\"noopener nofollow\">VNC<\/a>). VNC is essentially a shared desktop system, so the criminals basically use the victim\u2019s computer to log into the victim\u2019s online bank and perform the theft. It makes it quite impossible for the bank to distinguish legitimate users from criminals.<\/p>\n<p><a href=\"http:\/\/www.securelist.com\/en\/analysis\/204792315\/Online_banking_faces_a_new_threat\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Lab announced earlier this week<\/a> that the trojan has infected thousands of user-machines but \u2013 as malware expert Sergey Golovanov explains \u2013 it has the potential to do much more damage throughout the holiday season because of its efficient and versatile self-replication features. In fact, back in 2009, the Bredolab malware used the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the third most widely distributed piece of malware on the Internet.<\/p>\n<p>\u201cWhen a user on an infected machine visits one of the sites on the list, the malware controls the browser\u2019s connection with the server,\u201d Golovanov explained in an analysis on Securelist. \u201cMalicious users can obtain usernames and passwords entered by the user, and modify webpage content. All of the data entered by the user will be entered onto the modified webpage and transmitted to malicious users.\u201d<\/p>\n<p>Once the attacker has control of a victim\u2019s account, he can empty it completely into an account under his control. In many cases, however, Golovanov notes that the attackers are moving the stolen money through a series of victim accounts. In this way, they dump money from one victim\u2019s account into another and repeat this process several times before directly obtaining the money themselves in order to make their activities difficult to trace.<\/p>\n<div class=\"pullquote\">Attackers dump money from one victim\u2019s account into another and repeat this process several times before directly obtaining the money themselves in order to make their activities difficult to trace.<\/div>\n<p>Neverquest is for sale on at least one underground forum. It only seems to affect users browsing with Internet Explorer and Mozilla Firefox, but Neverquest\u2019s creators boast that it can be modified to attack \u201cany bank in any country.\u201d<\/p>\n<p>The malware also contains a feature that searches for specific banking-related keywords while the infected user surfs the web. If a user visits a site that includes these keywords, the trojan activates itself and begins intercepting user communications and sending them back to the attackers. If the site the victim is visiting ends up being a bank, the attackers add this new site to the list of sites that automatically trigger Neverquest. This update is then sent along through Neverquest\u2019s command and control infrastructure to all other infected machines.<\/p>\n<p>Fidelity.com, the website of one of the world\u2019s largest mutual fund investment firms, appears to be one of the trojan\u2019s top targets according to the report.<\/p>\n<p>\u201cIts website offers clients a long list of ways to manage their finances online,\u201d Golovanov wrote on Securelist. \u201cThis gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims.\u201d<\/p>\n<p>Neverquest is also designed to start harvesting data when an infected user visits any number of sites not related to finance, including Google, Yahoo, Amazon AWS, Facebook, Twitter, Skype and many more.<\/p>\n<p>\u201cThe weeks prior to the Christmas and New Year holidays are traditionally a period of high malicious user activity,\u201d Golovanov wrote. \u201cAs early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent. We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft.\u201d<\/p>\n<p>He continues:<\/p>\n<p>\u201cProtection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated solution that <a href=\"http:\/\/www.securelist.com\/en\/analysis\/204792304\/Staying_safe_from_virtual_robbers#12\" target=\"_blank\" rel=\"noopener nofollow\">secures transactions<\/a>. In particular, the solution must be able to control a running browser process and prevent any manipulation by other applications.\u201d \u2028Luckily, Kaspersky Lab has such technology called <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/safe-money\/\" target=\"_blank\" rel=\"noopener nofollow\">Safe Money<\/a>. As a part of <a href=\"http:\/\/kaspersky.com\/multi-device-security\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security<\/a> and <a href=\"http:\/\/kaspersky.com\/pure\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky PURE<\/a>, it protects user\u2019s interactiona with financial sites, paying specific attention to the security of the encrypted connection and the absence of third-party control over web browsers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Neverquest is a new banking trojan that spreads itself via social media, email and file transfer protocols. It possesses the capacity to recognize hundreds of online banking and other financial<\/p>\n","protected":false},"author":32,"featured_media":3254,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[734,79],"class_list":{"0":"post-3247","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-banking-trojans","9":"tag-online-banking"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/neverquest-trojan-built-to-steal-from-hundreds-of-banks\/3247\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/neverquest-trojan-built-to-steal-from-hundreds-of-banks\/2703\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/neverquest-trojan-built-to-steal-from-hundreds-of-banks\/2599\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/neverquest-trojan-built-to-steal-from-hundreds-of-banks\/2906\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/neverquest-trojan-built-to-steal-from-hundreds-of-banks\/2723\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/neverquest-trojan-built-to-steal-from-hundreds-of-banks\/2116\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/neverquest-trojan-built-to-steal-from-hundreds-of-banks\/3247\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/neverquest-trojan-built-to-steal-from-hundreds-of-banks\/3247\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/banking-trojans\/","name":"banking trojans"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3247"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3247\/revisions"}],"predecessor-version":[{"id":32982,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3247\/revisions\/32982"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/3254"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}