Trojan-Banker.Win32.Neverquest

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-Banker

Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

This malware family consists of Trojans targeted against online banking services. The malware is used by cybercriminals to steal money or account credentials from users of e-banking services. Information needed for connecting to the server of the cybercriminals is encrypted inside the executable file of the malware. Trojan-Banker.Win32.Neverquest is distributed under the MAAS (Malware As A Service) model. This means that cybercriminals rent the malware from its creators, receiving a fully ready software kit for criminal purposes. The malware collects information about the infected computer and sends it to the cybercriminals' server. Collected information includes: • User rights in the operating system • Anti-virus software installed on the computer • Whether Rapport (by Trusteer) is installed • CPU architecture • Operating system version (including service pack number) • Proxy server address and port (if a proxy server is specified in the operating system settings) • NETBIOS name of the infected computer • Domain name (if the computer is on a domain) Malware of this family performs the following actions: • Downloading and running executable files • Stealing cookie files • Stealing certificates from the operating system store • Getting the list of running processes • Clearing the browser cache folder and deleting cookie files • Removing copies of malware files • Starting and stopping a SOCKS proxy server • Starting and stopping a VNC remote access server • Downloading and running updates of the malware (with or without restarting the computer) • Running commands via ShellExecute() • Deleting Registry entries • Stealing passwords stored in FTP clients • Deleting information about copies of the malware from the Registry • Copying files (specified via pattern mask) from an infected computer • Viewing the user's web history • Secretly recording video and sending recorded video to the cybercriminals' server • Getting video files by their number • Deleting video files by their number In addition, the malware can replace the content of web pages displayed in the user's browser by using spoofed content and configuration files, which are downloaded by the malware from a server controlled by cybercriminals.

Top 10 countries with most attacked users (% of total attacks)

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com