Symantec Security Response has found that a new variant of Trojan.Snifula (Neverquest) is targeting more than 30 Japanese financial institutions, including 12 regional banks. The threat first appeared in 2006 and is used to steal victims’ financial information from specific banking sites through man-in-the-browser (MITB) techniques. Snifula’s new targets show that the malware is broadening its focus to smaller financial institutions, meaning that consumers should be wary of the threat regardless of which bank they use.
We previously predicted that Snifula would be updated to target additional financial institutions and now it has happened. While monitoring Snifula’s activities, we came across a configuration file for a Snifula variant that lists 20 credit card sites and 17 online banking sites in Japan.
One interesting aspect of the configuration file is that it includes 12 Japanese regional banks which are spread across 12 prefectures. Only one of these regional banks made the top ten list in terms of total deposit balances from customers. In fact, more than half of the targeted banks are in the bottom half of the overall list of total deposit balances from customers. This clearly shows that the targeted banks are picked regardless of the institution’s size. We expect that other regional banks will likely be targeted by Snifula, so consumers should not let their guard down when using any online banking site.
As of July 2014, our telemetry shows that Japan is still ranked third and makes up almost 20 percent in terms of Trojan.Snifula activities. Considering our research, it seems that attackers are not about to quit targeting Japanese online banking customers.
Figure 1. Snifula activity in July 2014 by region
Figure 2. Snifula activity heat map in July 2014
Symantec Security Response is closely monitoring Snifula and provides appropriate protection against this threat. We will continue to update our coverage as we see new Snifula variants. Users should keep AV and IPS definitions up to date and avoid opening suspicious email attachments or links to prevent infection.
The following detections are Symantec’s current protections against Snifula.