November 26, 2013, 11:45 AM — A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.
The malware was first advertised on a private cybercrime forum in July, according to malware researchers from Kaspersky Lab who dubbed it Trojan-Banker.Win32/64.Neverquest.
"By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world," said Sergey Golovanov, malware researcher at Kaspersky Lab, Tuesday in a blog post. "This threat is relatively new, and cybercriminals still aren't using it to its full capacity. In light of Neverquest's self-replication capabilities, the number of users attacked could increase considerably over a short period of time."
Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).
However, this Trojan program also has some features that make it stand out.
Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.
This helps attackers identify new financial websites to target and build scripts for the malware to interact with them.
Once attackers have the information they need to access a user's account on a website, they use a proxy server to connect to the user's computer via VNC and access the account directly. This can bypass certain account protection mechanisms enforced by websites because unauthorized actions like transferring money are done through the victim's browser.
"Of all of the sites targeted by this particular program, fidelity.com -- owned by Fidelity Investments -- appears to be the top target," Golovanov said. "This company is one of the largest mutual investment fund firms in the world. Its website offers clients a long list of ways to manage their finances online. This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims."
The methods used to distribute Neverquest are similar to those used to distribute the Bredolab botnet client, which became one of the most widespread malware on the Internet in 2010.