There has been recent media coverage around a new online banking Trojan, publicly known as Neverquest. Once Neverquest infects a computer, the malware can modify content on banking websites opened in certain Internet browsers and can inject rogue forms into these sites. This allows attackers to steal login credentials from users. The threat can also let attackers take control of a compromised computer through a Virtual Network Computing (VNC) server. Neverquest can replicate itself by stealing login details and spamming out the Neverquest dropper, by accessing FTP servers to take credentials in order to distribute the malware with the Neutrino Exploit Kit and by obtaining social networking credentials to spread links to infected websites.
Symantec’s analysis of the Neverquest Trojan has found that the malware is the ongoing evolution of a threat family that Symantec detects as Snifula, which was first seen back in 2006. Our analysis of the Neverquest Trojan’s code has shown similarities with older samples of the Snifula family (in particular Backdoor.Snifula.D). We have also observed that network infrastructure found to be used previously by Snifula has close ties to the Neverquest Trojan. Symantec can confirm that we already had protection in place for this new threat under various different generic detection names from when we first encountered the malware back in mid-April 2013. Detection has since been broken out for this threat as Trojan.Snifula.
As mentioned, the code of Trojan.Snifula (also known as Neverquest) shows similarities with older samples of the Snifula family. The executables of the two threats have a different structure and functionality, but they do share some unique pieces of code that link them together. For example, the following pictures illustrate the code used to send eight bytes of data on the network, where the first four bytes contain the specific marker “26A6E848.”
Figure 1. Trojan.Snifula (Neverquest) code related to outbound network traffic
Figure 2. Backdoor.Snifula.D version of the same code from Figure 1
The code is nearly identical and the marker is unique, meaning that this code was not taken from a publicly available source. This is not the only resemblance of course; you can find many other similarities.
Figure 3. Trojan.Snifula (Neverquest) code for logging the current process ID
Figure 4. Same code from Backdoor.Snifula.D.
This code logs the malicious process ID along with the current time. Both the code and the string are identical in the two threats, which also make use of the CRC and Aplib algorithms and several common strings.
We also got hints of a connection between the two threats by looking at the command-and-control (C&C) network infrastructure used by Trojan.Snifula (Neverquest). The IP address 220.127.116.11 was used as a C&C server by Trojan.Snifula. One of only two domains known to be hosted on that IP address is FyXqgFxUmihXClZo.org. This domain is known to be owned by Aster Ltd. In total, we know that Aster Ltd owns the following 26 domains.
The Aster Ltd domains Pluss.com.tw and Countdown.com.tw are hosted on the IP address 18.104.22.168. Symantec has linked this IP address to an active C&C server used by Backdoor.Snifula.D in February and March of 2013. Other domains owned by Aster Ltd, such as Sparkys3.net and Facestat.com.tw, are being hosted on the IP address 22.214.171.124, another known C&C IP address for Trojan.Snifula.
The Snifula family
Symantec has encountered numerous new variants of the Snifula family over the years. The arrival of Trojan.Snifula, which uses more sophisticated techniques to grow and to steal from victims, was an expected evolution of the Snifula family. Given that the Snifula threat family has been evolving and growing for years now, we don’t expect the malware to leave the threat landscape anytime soon.
To protect against this threat, Symantec also has the following Intrusion Prevention System (IPS) signature.
- System Infected: Trojan.Snifula Activity