Popular banking malware being used on broader targets

September 12, 2014 Arctic Wolf Networks

It was recently discovered that modifications have been made to the popular Neverquest banking Trojan, indicating that the malware is no longer being used solely to target online banking sites.

Neverquest, also known as Vawtrak, is a new version of the Trojan responsible for the loss of millions of dollars from numerous bank accounts during its tenure. The malware has been around for a few years now, but had previously always been used to target banks. Now the malicious software has been seen going after retailers, social media sites and even some gaming portals.

Modifications to the Trojan have enabled it to insert additional fields into specific Web forms, giving it the capability to steal PIN numbers and other personal data, as well as the ability to hide its tracks from the Web traffic it has modified. The team behind the malware also added new features, such as webinjects that allow Neverquest to modify traffic in real time. The enhanced webinjects make it possible for the malicious software to capture additional user information for exploitation and enable more advanced data-hiding techniques to make it difficult to detect criminal activity.

"Vawtrak's advanced webinject capabilities are similar to other state-of-the-art banking Trojans, allowing it to modify data in web traffic, even if it has been secured with encryption," explained Don Jackson, director of threat intelligence for PhishLabs. "Vawtrak uses this capability to steal login credentials, automate fraudulent transactions inside online banking sessions, and inject addition form fields into legitimate web pages to gather additional information, such as Social Security numbers or PINs, for use in banking fraud and identity theft." 

Malware widening its reach
Neverquest is designed to activate on a compromised device when a user visits a website on a predetermined list of target sites. Until recently, that list mainly consisted of banks, but the volume and variety of the malware's targets have been expanded along with its capabilities. According to Jackson, large-scale cyberattacks against U.S. targets have been increasing dramatically for the last three months. In July, samples from the newly modified Neverquest were configured to use advanced webinject attacks against as many as 64 websites.

Cyberattacks against businesses in every industry are increasing, and so is the need for enterprise security techniques that will protect sensitive information. Implementing security information and event management is a sure way to protect enterprise systems. A SIEM solution provides continuous monitoring of networks and endpoints to detect malicious activity or suspicious behavior. Concierge SIEM service providers analyze the observed threat information and offer companies actionable information that can then be used to better defend against cyberthreats and mitigate the effects of data breaches.

Previous Article
Staffing a SOC, How Much?

Staffing a SOC, How Much? Staffing a SOC – $644,000 is a simple estimate for 24x7x365 coverage assuming sev...

Next Article
Mobile malware increasing rapidly, causing risks for enterprises

A recent report discovered that the number of malware infections affecting mobile phones are increasing at ...


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!