Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Neverquest Evolves Again and Seeks New Targets

Trojan.Snifula has continued to evolve and develop new features to steal more confidential online banking information.
Created: 16 Jul 2014 23:01:43 GMT • Translations available: 日本語
Symantec Security Response's picture
+2 2 Votes
Login to vote

Despite Japan's isolated adoption of unique and sometimes incompatible technological standards, often described as Galapagosization, the country still seems to be open game when it comes to banking malware. Attacks on online banking are nothing new in Japan and the country has dealt with several prominent cases in the last year. For instance Infostealer.Torpplar targeted confidential information that was specific to Japanese online banks and credit cards, and variants of Infostealer.Bankeiya utilized various methods including zero-day vulnerabilities and exploit kits to target Japanese users. Japan's National Police Agency reported that US$11,840,000 was stolen in 2013 as a result of cybercrime and, as of May 9, 2014, US$14,170,000 has been stolen, already surpassing last year’s total with still more than half a year to go.

Another infamous banking Trojan, Neverquest or Trojan.Snifula, has continued to evolve and develop new features to steal more confidential online banking information since we last wrote about it. Symantec has observed recent activity, specifically information stealing, from the banking Trojan over the last several months.

Our telemetry shows that since last December more than half of the occurrences of Snifula were in the United States or Japan.

Neverquest 1.png

Figure 1. Snifula occurrences by country

The graph seen in Figure 2 shows the number of Snifula infections per country over a one-month period and clearly indicates a noticeable spike in infections for Japan in late March.

Neverquest 2.png

Figure 2. Number of infections per country over a one-month period

As stated in our last Snifula blog, the threat has been evolving since 2006. Snifula includes many features for stealing confidential information from compromised computers including:

  • Keystroke logging
  • Screenshot and video capture
  • Remote control
  • Stored user name and password extraction
  • Digital certificate theft
  • Man-in-the-browser (MitB) attacks

Once Snifula has infected a computer, it downloads a configuration file from a command-and-control (C&C) server. The configuration file is specifically crafted for each target. For example, Figures 3, 4, and 5 show configuration files for the US, Germany, and Japan.

Neverquest 3 edit.png

Figure 3. Configuration file for the US

Neverquest 4 edit.png

Figure 4. Configuration file for Germany

Neverquest 5 edit.png

Figure 5. Configuration file for Japan

The configuration files mainly consist of two parts. The first part is code that is used for MitB attacks. This code is injected into target Web pages to display fake message that usually asks the user to input sensitive data such as personal information, Personal Identification Number (PIN), Transaction Authentication Number (TAN), External Transfer Password (ETP), Telephone Banking Password (TBP), One Time Password (OTP), answers to security questions, or any other information required for transferring money.

The second part of each configuration file consists of a list of strings. The threat monitors the Web pages users visit and starts logging when any of the strings in the configuration file matches with part of a URL or Web page content. There are no major differences between configurations for the US and Japan in terms of the list of strings. We can see around 400 strings related to social networking, customer relationship management, Web mail, messaging, cloud computing, storage, financial, online movie, photo sharing, and gaming services. It seems that most major online services, for both consumer and enterprise users, are covered.

The configuration file for Japan, used by this latest Snifula variant, lists only eight major Japanese financial institutions as targets, compared to ten listed in the German configuration file and more than 50 in the US file.

A total of eight Japanese financial services targeted by this particular Snifula variant may not sound like too many; however, we expect this to increase. Another financially motivated and well-known malware family, Trojan.Zbot, is known to target local banks that are less known outside of their regions. Because the source code for Zbot was leaked online, its successful methods and techniques are now public knowledge among the underground community. Because of this, we have little doubt that Snifula will be, or already has been, updated to target more Japanese financial services.

These days we rely on many online services for things such as finance, email, shopping, connecting with friends, and sharing data with others in both our business and personal lives. Unfortunately, these services are prime targets for the bad guys. To stay protected, Symantec recommends keeping your computer and security software up-to-date.

Symantec has the following detections in place to protect against this threat:

Antivirus

IPS