The developers of the notorious Neverquest banking Trojan haven`t wasted their time during the summer. Instead, they have decided to upgrade and modificate their product, which is now able to more adeptly hijack a victim’s computer, steal credentials and inject code into webpages. This improved version of the Trojan researchers called Neverquest2.
The Arbor Networks’ Security Engineering and Response Team (ASERT) and other experts have been monitoring the Neverquest2`s updates over the past few months, which clearly points that the authors of the threat are preparing for new attack waves.
Neverquest is a version of the Gozi Trojan, which, helped its creator steal millions of dollars from victims’ bank accounts a few years back. Neverquest, also known as Vawtrak, first appeared on the malware stage three years ago and was then distributed by the Neutrino exploit kit.
Arbor experts say that Neverquest2 has received significant modifications. For example, the Trojan now includes plugins capable of delivering 266 new web-inject rules targeting specific website type. Financial and bank websites are the number one target of Neverquest2, followed by wireless providers, online public record aggregators, government agencies and payroll services. Very important is the addition of web-injection rules, targeting Bitcoin commerce sites.
Neverquest2 infects victims when they visit one of the compromised targeted webpages. Then, the web-injections occur, inserting extra fields into targeted web forms in order to steal PINs and other valuable information.
Two years ago, the police arrested several people accused of being involved with the Neverquest wave, responsible for stealing more than 1.5 million.
As we said, the Trojan received significant improvement over the summer. Neverquest2 now relies on a new domain generation algorithm to produce a large number of domain names that can be used to link to its C&C server, the cybersecurity firm PhishLabs reported last month.
ASERT noted another change as well. It is the addition of two new modules to the Trojan: a “backconnect” and a certificate-stealing plugin.
The backconnect module (bc_32.dll) adds support for general purpose remote access to an infected client. According to ASERT, it includes a VNC server that can be installed on the infected host.
“The infected computer allows an attacker to be logged into the computer and see the victim’s desktop and get access to webcam video and see the browsing history of the victim. They have full access to the victim’s PC and can run arbitrary CMD commands and interact with the Task Manager.” – says an ASERT researcher.
The second addition is a general purpose information stealing module (dg_32.dll). It looks for and steals certificates from the infected victim`s PC. As the ASERT report reads, this module “… uses the CertOpenSystemStore() and related cryptographic APIs to gain access to certificate stores associated with private keys, certificate authorities, etc. It will scan the infected system for browser profiles, cookies, browsing history and browser cache entries.”