Computers infected with banking malware, called Neverquest, are being used to further a crimeware-as-a-service (CaaS) business model so fraudsters can deliver targeted attacks against victims in multiple locations, a security firm reveals.
A report released Thursday (PDF) by Sophos notes that while Neverquest, also known as Snifula and Vawtrak, is “neither technically ground-breaking nor innovative, it is an example of how banking malware can be used extremely effectively to achieve its goals.”
James Wyke, a senior threat researcher at Sophos who authored the report, noted that the CaaS business model has allowed the botnet’s activities to be “adjusted on demand, with financial data effectively being stolen to order,” he wrote in the report.
The researcher explained that the malware is usually spread to new victims via three methods: as a payload to an exploit kit, through phishing email attachments, or by loader malware that, in turn, installs Neverquest on targeted systems.
After analyzing Neverquest infections, which spanned the globe, Sophos observed more than 2,500 infections in the U.S. alone. The malware targeted a number of U.S. bank domains in an attempt to steal financial data, including those for Bank of America, Capital One, Wells Fargo, and Citibank, the report said.
Customers of smaller financial institutions, or those less known, including U.S. Bank, Fifth Third Bank and Commerce Bank, were also targeted, Sophos said.
Among Neverquest’s tricks is its online email injections, the report said, which is used to keep victims’ from immediately seeing legitimate communications from their bank about transfers.
“Another interesting injection is into online email websites, in particular mail.live.com and outlook.office.com,” the report said. “The goal of the injected code for these websites is to log the user out of their email account so that they cannot read any emails that they may receive from their bank, telling them that a new transfer has taken place out of their account.”
Wyke noted that Neverquest’s standard attack method is to inject a DLL file into browser processes.
“When targeted URLs are visited, Vawtrak inserts extra code into the web page,” the report said. “The extra code is used for a wide variety of purposes including bypassing two factor authentication, attempting to infect the victim with a mobile malware component using social engineering, and automatically initiating a transfer out of the victim’s account and subsequently hiding the evidence of the transfer.”
In a follow up interview with SCMagazine.com Wyke expounded on why botnet operators were using the crimeware-as-a-service business model for Neverquest-infected computers, rather than traditional botnet-selling tactics where renters are left their own aims (like distributing malware themselves).
“They still own the infrastructure themselves,” Wyke said of the CaaS model. “They run all the command-and-control servers,” he added, later noting that Neverquest’s operators may be a group of individuals who’ve designated certain people within the group to manage certain campaigns (targeting specific banks or geographic locations).
“You can have two malware samples of Vawtrak [or Neverquest] that call back to the same command-and-control server, but they could receive a completely different configuration file,” Wyke said.
According to Wyke, the Neverquest operations indicate that attackers must be pretty well resourced, as they require knowledge of the area being targeted, including some mastery of linguistics in order to speak the language of potential victims, and a network of money mules in various countries to withdraw money after fraudulent transfers.
In the report Sophos detailed six campaigns that targeted bank customers in Germany, Poland, Japan, the U.S., Australia, UK, Turkey, India, Italy, Saudi Arabia, Portugal, Spain and other countries.