Kaspersky Threats — Neverquest

Detect Date

06/03/2016

Class

Platform

Description

This malware family consists of Trojans targeted against online banking services. The malware is used by cybercriminals to steal money or account credentials from users of e-banking services.

Information needed for connecting to the server of the cybercriminals is encrypted inside the executable file of the malware. Trojan-Banker.Win32.Neverquest is distributed under the MAAS (Malware As A Service) model. This means that cybercriminals rent the malware from its creators, receiving a fully ready software kit for criminal purposes.

The malware collects information about the infected computer and sends it to the cybercriminals’ server. Collected information includes:
• User rights in the operating system
• Anti-virus software installed on the computer
• Whether Rapport (by Trusteer) is installed
• CPU architecture
• Operating system version (including service pack number)
• Proxy server address and port (if a proxy server is specified in the operating system settings)
• NETBIOS name of the infected computer
• Domain name (if the computer is on a domain)

Malware of this family performs the following actions:
• Downloading and running executable files
• Stealing cookie files
• Stealing certificates from the operating system store
• Getting the list of running processes
• Clearing the browser cache folder and deleting cookie files
• Removing copies of malware files
• Starting and stopping a SOCKS proxy server
• Starting and stopping a VNC remote access server
• Downloading and running updates of the malware (with or without restarting the computer)
• Running commands via ShellExecute()
• Deleting Registry entries
• Stealing passwords stored in FTP clients
• Deleting information about copies of the malware from the Registry
• Copying files (specified via pattern mask) from an infected computer
• Viewing the user’s web history
• Secretly recording video and sending recorded video to the cybercriminals’ server
• Getting video files by their number
• Deleting video files by their number

In addition, the malware can replace the content of web pages displayed in the user’s browser by using spoofed content and configuration files, which are downloaded by the malware from a server controlled by cybercriminals.

Geographical distribution of attacks by the Trojan-Banker.Win32.Neverquest family

Geographical distribution of attacks during the period from 03 June 2015 to 03 June 2016

Top 10 countries with most attacked users (% of total attacks)

	Country	% of users attacked worldwide*
1	Germany	15.37
2	Japan	7.47
3	USA	7.05
4	Spain	5.35
5	France	5.18
6	Italy	3.57
7	Poland	3.23
8	Canada	2.63
9	India	2.46
10	United Kingdom	2.46

* Percentage among all unique Kaspersky users worldwide attacked by this malware