I’ll bet no one is missing the Neverquest Trojan, and maybe that’s why many have not even realized one of the top cybergang-operated malware codes has taken a substantial plunge this year.

The Neverquest Trojan, a consistent occupant of the top 10 most active banking Trojans in the world, has suffered a blow due to the arrest of one of its alleged authors in January 2017. The 32-year-old Russian national, Stanislav Lisov, was detained by Spanish police in Barcelona based on an FBI warrant that asserted he was the developer of the nefarious Neverquest malware.

While an arrest is indeed a major ordeal for any cybercrime gang, others, such as Gozi and Dridex, went through the same occurrence and continue to top the charts. So, what’s been happening with the Neverquest gang?

One Quarter Brings One Big Fall

Looking back at where Neverquest has been the past two years clarifies the size of the usage plunge since Lisov’s pivotal arrest.

IBM X-Force data shows that in 2015, Neverquest was second only to the Dyre Trojan, which topped the financial malware charts that year. In 2016, after Dyre’s disappearance, Neverquest took its place as the most active banking Trojan in the cybercrime arena. X-Force data showed that it was only in late 2016 that new Zeus variations started rising in underground forums and pushed Neverquest down to second rank.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Neverquest started 2017 strong on the malware chart. X-Force data from the beginning of the year shows it still ranked second on the top 10 list, only following the endless number of Zeus factions operating commercial malware.


Figure 1: Most prevalent financial malware families (Source: IBM X-Force, January 2017)

During the first quarter of 2017, Neverquest’s activity — and subsequently its ranking — on the global banking Trojan charts, dropped rapidly. By the end of the first quarter, it ended up in 10th place, right under the much less prevalent GootKit Trojan.


Figure 2: Most prevalent financial malware families (Source: IBM X-Force, April 2017)

To understand why this arrest impacted Neverquest so much, let’s consider its modus operandi and the cybergang’s composition for committing fraud.

Neverquest: A High-Profile Targeting Trojan

The Neverquest Trojan, aka Vawtrak, is a Gozi Trojan variation that was discovered by IBM Security researchers in November 2014. It surfaced at a time when other would-be giants such as Dridex and Dyre emerged.

Neverquest’s roots go back to 2000, linking it with organized cybercrime groups such as 76 Service and the HangUp Team, which were Russian Business Network (RBN) partners. This classification means rookies did not conceive or operate the malware, but it was the work of seasoned cybercriminals who had plans to build a cybercrime-as-a-service platform around it.

Having analyzed Neverquest target lists over time, it’s logical to infer that Neverquest, like its peers, had a clear appetite for big money: business banking and investment banking. By 2015, the Trojan’s configuration files started featuring a growing number of bank URLs, targeting those services right around the time the Dyre Wolf attacks were discovered, and unveiled the exact approach organized cybercrime was using to cash in on those targets.

According to X-Force researchers, Neverquest is believed to be a cybercrime-as-a-service platform that supported a number of geo-specific operators who used the malware and botnet to rob bank accounts and share the loot with operators. Similar to the way the Dridex botnet is divided into numbered campaigns and sub-botnets, Neverquest is also programmed to create this distinction: As soon as it lands on a newly infected endpoint, it calls home with a numeric ID that identifies its campaign.

In that way, the botnet is segmented into the different campaigns, allowing its operator to attribute specific configuration instructions to each segment, including the attack M.O., webinjections and more. This method was apparently conceptualized by the Gameover Zeus gang, according to an organized cybercrime 2014 Europol report. This explains why some Neverquest configurations are long and include a large variety of targets, blocked URLs and different attack modes: They are designed to accommodate a number of actors at once, making them heftier than most.

What does Neverquest’s business model have to do with the 2017 plunge in activity? A lot actually, and it’s a human reaction called fear. Neverquest, unlike the GootKit gang for example, is not one close-knit gang; it’s a service to the cybercrime elite. The minute Neverquest’s dubious collaborators saw law enforcement reach one of their trusted parties, they realized the FBI was already too close for comfort and dropped it like it was hot: Campaigns delivering the Neverquest Trojan dropped considerably on Jan. 19, 2017, just a few days after Lisov’s arrest in Spain.


Figure 3: Neverquest monthly infection attempts (Source: IBM X-Force)

Another Dead Trojan

Is Neverquest gone, or just taking a hiatus of sorts? I wouldn’t be too fast to pronounce Neverquest dead. This malware is linked with longstanding cybercrime groups that date back to the year 2000. The original Ursnif became Gozi, which evolved into Gozi Prinimalka, which eventually became Neverquest. It has been operated by seasoned criminals through the years, and the code is probably still in one of its proponent’s possession.

It is very possible that the Neverquest group is shifting from using that particular malware to evade the attention from law enforcement, but nothing has stopped them from going back to activating it, selling it to another group or modifying it before a future relaunch.

Time will tell. In the meanwhile, keep an eye out on the Sphinx Trojan, which has been rising rapidly and is likely to climb the global chart some more before 2017 is over.

Wait, what? Why Zeus Sphinx?

End of One Quest, Beginning of Another?

Cybercriminals moving from one gang to another is not a rare occurrence. Take, for example, the Dridex Trojan that suddenly donned Dyre-like redirection attacks in January 2016, or the TrickBot Trojan that emerged with all the bells and whistles of the late Dyre Trojan. These were unlikely coincidences, and likely the case of the now-scrammed Neverquest users. The end of a quest, possibly, but where are Neverquest operators headed next? It’s not so hard to figure out.

Let’s note here that Neverquest, like other malware of its type, outsources its distribution in part or in whole. For most of its email spam delivery, X-Force research noted that it was using a network known as the Moskalvzapoe Network — spam delivery serving cybercriminals and others. Delivery via Moskalvzapoe was halted for about a week, from Jan. 19 to Jan. 24, but after that first week, it appears that Moskalvzapoe’s operators took their customer back — this time abandoning Neverquest for the Zeus Sphinx Trojan and dropping it via Moskalvzapoe’s DELoader, aka Terdot.

The group is likely using Sphinx to target banks in Canada. How surprising is it to see this Zeus variation take a life of its own and begin climbing the malware charts this year?


Figure 4: Most prevalent financial malware families in 2017 YTD (Source: IBM X-Force, May 2017)

Mitigating Advanced Malware Threats

IBM Security can help banks that wish to learn more about this threat, and assist them in securing their users against Trojan-facilitated cybercrime.

Users wishing to get a few best practices on lowering their risk of infection from banking Trojans can browse to our best practices page for more information.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Neverquest IoCs

The following are Neverquest samples analyzed by IBM X-Force research in January 2017, before the drop in campaigns began:

NQ Dropper MD5:

2DEC5EDC4D1F59D10E3925EB2D7BFE7D

3AAB483EBD107C6E6E44AAD524E40EC0

NQ Sample MD5:

C3D36F11D65851242B6EDDAA835FC72B

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today