The famous banking Trojan known as Neverquest has received several code updates that have added new features to its capabilities.
Neverquest Is Threating Users Once Again
The banking Trojan Nerverquest has been updated by malicious developers and it now has some distinct modifications and feature additions that make it a powerful weapon. In fact, there are so many changes to the main code base that researchers are calling the newest iteration Neverquest 2.
The improvements were made during the summer in steady tracks. The first iterations of the virus were modified versions of the Gozi Trojan which was responsible for stealing millions of dollars from infected computers. This was done by stealing credentials from their banking accounts. The malware family is also known as Vawtrak.
The malware is capable of creating 266 code injections that target specific targets. The majority of these sites are banking and financial institutes, government agencies, wireless providers and online public record aggregators. Neverquest 2 also can target BitCoin trading sites.
The Trojan manipulates the victim sites by adding extra fields to the web forms which are used to steal sensitive information such as passwords.
Two extra modules have been added to the new iteration.
- The back connect feature (bc_32.dll) supports remote access to the infected targets. It bundles a VNC server which can be installed on the target machine. This allows criminals to have limitless access to the host. This means the ability to execute arbitrary commands, process manipulation and spying on the users.
- The second module (dg_32.dll) contains information stealing capabilities that are used to steal the stored certificates on the infected computers. It uses cryptographic APIs to compromise the stored information with private keys, certificate authorities, etc. It can scan the infected system for cookies, browser profiles, browsing history and browser cache entries.
Neverquest 2 can also be used to access infected system and install other malware such as the Pony Trojan. The researchers state that even though this is a truly major update to the code base, the malicious developers still focus their attention on hijacking pages and stealing account credentials and other sensitive information.