Neverquest, also known as Vawtrak, is data stealing malware that targets banking information.
Neverquest, also known as Vawtrak, is data stealing malware that targets banking information.

Computers infected with banking malware, called Neverquest, are being used to further a crimeware-as-a-service (CaaS) business model so fraudsters can deliver targeted attacks against victims in multiple locations, a security firm reveals.

A report released Thursday (PDF) by Sophos notes that while Neverquest, also known as Snifula and Vawtrak, is “neither technically ground-breaking nor innovative, it is an example of how banking malware can be used extremely effectively to achieve its goals.”

James Wyke, a senior threat researcher at Sophos who authored the report, noted that the CaaS business model has allowed the botnet's activities to be “adjusted on demand, with financial data effectively being stolen to order,” he wrote in the report.

The researcher explained that the malware is usually spread to new victims via three methods: as a payload to an exploit kit, through phishing email attachments, or by loader malware that, in turn, installs Neverquest on targeted systems.

After analyzing Neverquest infections, which spanned the globe, Sophos observed more than 2,500 infections in the U.S. alone. The malware targeted a number of U.S. bank domains in an attempt to steal financial data, including those for Bank of America, Capital One, Wells Fargo, and Citibank, the report said.

Customers of smaller financial institutions, or those less known, including U.S. Bank, Fifth Third Bank and Commerce Bank, were also targeted, Sophos said. 

Among Neverquest's tricks is its online email injections, the report said, which is used to keep victims' from immediately seeing legitimate communications from their bank about transfers.

“Another interesting injection is into online email websites, in particular mail.live.com and outlook.office.com,” the report said. “The goal of the injected code for these websites is to log the user out of their email account so that they cannot read any emails that they may receive from their bank, telling them that a new transfer has taken place out of their account.”