Banking Exchange Magazine Logo

“Neverquest” trojan targets online banking

FS-ISAC details malware attack

  • |
  • Written by  Website Staff
  • |
  • Comments:   DISQUS_COMMENTS
“Neverquest” trojan targets online banking

Over recent months, the FS-ISAC Security Operations Center has been tracking malicious activity associated with the Neverquest banking trojan.

Neverquest is a variant of the Vawtrak banking trojan that primarily targets online banking customers in the U.S. and Asia-Pacific countries. Neverquest primarily steals login credentials for specific websites.

Like other credential-stealing malware, Neverquest uses a “trigger list” of URLs and keywords to identify when an infected user logs into a secure banking site or other targeted secure site. Recent configurations show a shift to target social networking sites, gaming sites, and online retailers.

Other optional functionality reportedly includes a virtual network computing module to provide remote control of an infected computer, and a webinject module to collect additional information from victims.

Recent related campaigns use the Chanitor malware downloader for initial infection and to download the Neverquest malware to the victim’s computer. Chanitor primarily leverages malicious macros in Microsoft Word documents, which are typically delivered via phishing emails, although they could also be hosted on malicious or compromised websites.

Preventative measures

The FS-ISAC Securities Operations Center encourages financial institutions to ensure that macros are disabled by default in Microsoft Office. Additionally, employees should be reminded to never enable macros in a Microsoft Office document without verifying its legitimacy.

Read “Are You A Friendly Neighborhood Target?,” based on a FS-ISAC presentation

Read 2013 Kaspersky Lab blog on Neverquest basics: “Neverquest Trojan: Built to Steal from Hundreds of Banks”

Read more about the FS-ISAC’s recent work and alerts at its latest monthly bulletin

back to top


About Us

Connect With Us