Over recent months, the FS-ISAC Security Operations Center has been tracking malicious activity associated with the Neverquest banking trojan.
Neverquest is a variant of the Vawtrak banking trojan that primarily targets online banking customers in the U.S. and Asia-Pacific countries. Neverquest primarily steals login credentials for specific websites.
Like other credential-stealing malware, Neverquest uses a “trigger list” of URLs and keywords to identify when an infected user logs into a secure banking site or other targeted secure site. Recent configurations show a shift to target social networking sites, gaming sites, and online retailers.
Other optional functionality reportedly includes a virtual network computing module to provide remote control of an infected computer, and a webinject module to collect additional information from victims.
Recent related campaigns use the Chanitor malware downloader for initial infection and to download the Neverquest malware to the victim’s computer. Chanitor primarily leverages malicious macros in Microsoft Word documents, which are typically delivered via phishing emails, although they could also be hosted on malicious or compromised websites.
The FS-ISAC Securities Operations Center encourages financial institutions to ensure that macros are disabled by default in Microsoft Office. Additionally, employees should be reminded to never enable macros in a Microsoft Office document without verifying its legitimacy.