Wily Trojan Logs Into Banks Using Victim’s Own PC

New Trojan Neverquest lets attackers log in to banks using victim’s device

Kaspersky Labs has identified a new Trojan able to steal users’ bank login data and borrow their computers to get into their bank accounts with a minimum of hassle.

Kaspersky researchers named the malware Trojan-Banker.Win32/64.Neverquest when they spotted it on commercial cybercrime forums in July, according to a blog from Kaspersky researcher Sergey Giolovanov.

“Neverquest supports just about every possible trick described in our previous article on online bank attacks: web injection, remote system access, social engineering, and so on,” Golvanov wrote.

Stolen passwords aren’t enough to log in to many banking sites, however. Banking sites will often place a persistent, identifying cookie on the hard drive of legitimate customers to identify their devices as well as their login information. Without authenticating the hardware, attackers would have to wade through multiple extra security steps to answer secret questions – which most malware won’t have captured – to get access.

Neverquest gets around that by creating a virtual-network connection between itself and its control servers that conceals the data it sends out, while working in the opposite direction as well. It allows attackers to log in to the victim’s device using a VNC and SOCKS connection through which it remote-controls direct access to the bank without the knowledge of either the bank or the user.

Most bank-data-stealing malware needs guidance to know when the user logs in to a targeted site. Neverquest’s author included about 28 bank- and payment-service sites in the Trojan’s original configuration file.

Neverquest is also able to scan keywords on unknown sites to identify unknown bank or payment sites, and sends the full URL and contents of the page to its control servers.

The malware authors take that data, write out a configuration for the new site, and send it back to allow another attack. Then they distribute that information through the rest of the anonymized botnet controlling devices infected with Neverquest, in case their victims use the new site as well.

At the top of the list of financial sites to target is Fidelity Investments, which offers not only banking, but extensive investment functions as well. “This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims,” Golovanov wrote.

The Neverquest client also steals data from users’ email accounts and records relevant data during SMTP/POP sessions, which the authors use to spam more accounts with phishing messages that install another instance of Neverquest if new users give it half a chance.

The client also harvests user data from a long list of other sites including Facebook, Amazon, Meebo, iComment, Hubpages, Flickr, Yahoo and others.

It’s no coincidence that Kaspersky should first see significant numbers of infections of a new, adaptable bank-data-theft malware right before the holidays, which usually include heavy malware/hacker activity. “We can expect to see mass Neverquest attacks toward the end of the year,” Golvanov wrote, “which could ultimately lead to more users becoming the victims of online cash theft.”

 

Image: Shutterstock.com/ Finchen