First posted in a closed underground cybercrime forum, the Neverquest code targets “any bank in any country,” its author said, by seeding add-on code onto bank websites and making use of web injection, remote system access and social engineering.
Kaspersky Lab dug into the forensics and by mid-November had recorded thousands of attempted infections around the world. “This threat is relatively new, and cybercriminals still aren’t using it to its full capacity,” researchers said. “In light of Neverquest’s self-replication capabilities, the number of users attacked could increase considerably over a short period of time.”
The weeks prior to the Christmas and New Year holidays are traditionally a period of high malicious user activity, Kaspersky commented.
“As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent,” it said in an analysis. “We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft.”
Using a trojan downloader or a trojan dropper, Neverquest employs a configuration file that contains a set of malicious JavaScripts and a list of websites. When someone on an infected machine uses Internet Explorer or Firefox to visit one of the 28 sites listed – including those that belong to large German, Italian, Turkish and Indian banks, as well as payment systems – the malware initiates control of the browser’s connection with the server. Malicious users can then obtain usernames and passwords entered by the user, and modify webpage content. All of the data entered by the user will be entered onto the modified webpage and transmitted to malicious users.
“Of all of the sites targeted by this particular program, fidelity.com – owned by Fidelity Investments – appears to be the top target,” Kaspersky said. “This company is one of the largest mutual investment fund firms in the world. Its website offers clients a long list of ways to manage their finances online. This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims.”
After gaining access to a user’s account with an online banking system, cybercriminals use a SOCKS server and connect remotely to the infected computer via a VNC server, then conduct transactions and wire money from the user to their own accounts, or – in order to keep the trail from leading directly to them – to the accounts of other victims.
Aside from the obvious dangers, the malware is also unusual in its ability to self-propagate by creating new seed code. The configuration file contains a list of key words that, if they are found on a webpage in the browser, prompt the malicious program to intercept the process and send the full contents of the webpage and its URL to malicious users, Kaspersky explained. Based on that received data, the malicious users then develop additional code to be seeded onto that website; the new website is then included on the list of targeted websites, and the new code is added to the arsenal of malicious scripts in the configuration file. The updated configuration file is then distributed to all infected computers.
“Protection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated solution that secures transactions,” said Kaspersky. “In particular, the solution must be able to control a running browser process and prevent any manipulation by other applications.”