A new banking Trojan in the news, known as Neverquest, is active and being used to attack a number of popular banking websites. This Trojan can identify target sites by searching for specific keywords on web pages that victims are browsing. After infecting a system, the malware gives an attacker control of the infected machine with the help of a Virtual Network Computing (VNC, for remote access) and SOCKS proxy server. The Trojan targets several banking sites and steals sensitive information such as login credentials that customers enter into these websites. The Trojan also steals login information related to social networking sites (listed in the configuration file) like Twitter, and sends this information to its control server.
Once it infects a system, the Trojan drops a random-name DLL (for example, cjekvxk.dat) with a .dat extension in the %APPDATA% folder. The Trojan then automatically runs this DLL using regsvr32.exe /s [DLL PATH] by adding a key under “Software\Microsoft\Windows\CurrentVersion\Run\.” The Trojan tries to inject its malicious code into running processes and waits for browser processes such as iexplorer.exe or firefox.exe. Once the victim opens any site with these browsers, the Trojan requests the encrypted configuration file from its control server, as we see in this screenshot:
The Trojan generates a unique ID number that will be used in subsequent requests. The reply is encrypted with aPLib compression. The reply data is appended to an “AP32” string, followed by a decompression routine, as shown:
The Trojan targets financial institutions including Bank of America, CitiBank, and many others. Here is a list of target sites found in the decrypted configuration file:
The Trojan asks for sensitive information by modifying the page contents that a victim visits. The configuration file also contains a list of social networking sites and a list of keywords related to banking:
If the Trojan finds any of the keywords on a web page, it will steal the full URL and all user-entered information and sends this data to the attacker:
The Trojan sends a unique ID number followed by the full URL containing username and password. (We’ve entered fake information to capture the logs.) The Trojan also sends all web page contents compressed with aPLib to the attacker in the following format:
The Trojan steals information entered on social networking sites listed in the configuration file and can use that data to further spread the malicious code:
The Trojan keeps on stealing new data and updating its configuration file. The attacker uses a SOCKS and VNC server to carry out malicious activities. Here is a snapshot of strings we found:
The Trojan can steal SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients. It can also steal FTP login credentials from various programs that can be used to distribute the malicious code:
I would like to thank my colleague Vikas Taneja for assistance with this research.