Menu Search Hoax-Slayer

Neverquest Trojan Warning

Outline
Reports warn of a trojan called "Neverquest" that can activate itself on hundreds of banking and financial websites.

Brief Analysis
The reports are genuine. Security experts warn that the relatively new threat, which can spread itself via email, social media, and ftp, can recognize hundreds of banking sites and steal information from users when they try to login from an infected computer.


Example

Editor's Note: This example shows just one method in which the trojan may be distributed. It may also be spread via emails with other content and via alternative vectors including social media and FTP.
 

Subject: Your UPS Invoice is Ready

This is an automatically generated email.
Please do not reply to this email address.

Dear UPS Customer,

New invoice(s) are available for the consolidated
payment plan(s) / account(s) enrolled in the UPS Billing Center

 

Please open attached file to view and pay your invoice.

(c) 2013 United Parcel Service of America, Inc. UPS, the
UPS brandmark, and the color brown are trademarks of United
Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer
to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will
not receive any reply message.

For questions or comments, visit Contact UPS.



Detailed Analysis
Warnings about a dangerous banking trojan called "Neverquest" are currently circulating.  The warnings claim that the trojan is able to activate itself on hundreds of banking and financial websites and steal information from people who have infected computers.


The warnings are valid. Security experts are indeed reporting on the threat posed by the Neverquest trojan. In a November 30, 2013 article about the threat, Kaspersky Lab notes:
Neverquest is a new banking trojan that spreads itself via social media, email and file transfer protocols. It possesses the capacity to recognize hundreds of online banking and other financial sites. When an infected user attempts to login to one of the sites the trojan reacts by activating itself and pilfering its victim’s credentials.

Symantec also reported on the threat, noting in a December 4, 2013 blog post:

There has been recent media coverage around a new online banking Trojan, publicly known as Neverquest. Once Neverquest infects a computer, the malware can modify content on banking websites opened in certain Internet browsers and can inject rogue forms into these sites. This allows attackers to steal login credentials from users. The threat can also let attackers take control of a compromised computer through a Virtual Network Computing (VNC) server. Neverquest can replicate itself by stealing login details and spamming out the Neverquest dropper, by accessing FTP servers to take credentials in order to distribute the malware with the Neutrino Exploit Kit and by obtaining social networking credentials to spread links to infected websites.
Thus, in this case, the circulating warnings are worth heeding. As always, people should use caution and common sense when opening attachments and following links in emails and social media posts. They should also ensure that they have up-to-date anti-virus and anti-malware protection on their computers and keep their operating system, browsers and other software updated.

Last updated: December 9, 2013
First published: December 9, 2013
By Brett M. Christensen
About Hoax-Slayer

References
Online banking faces a new threat
Neverquest Trojan: Built to Steal from Hundreds of Banks
Dangerous New Banking Trojan Neverquest Is an Evolution of an Older Threat

© Brett M.Christensen, 2014. All Rights Reserved.

Go to Desktop Version