I’ll bet no one is missing the Neverquest Trojan, and maybe that’s why many have not even realized one of the top cybergang-operated malware codes has taken a substantial plunge this year.
The Neverquest Trojan, a consistent occupant of the top 10 most active banking Trojans in the world, has suffered a blow due to the arrest of one of its alleged authors in January 2017. The 32-year-old Russian national, Stanislav Lisov, was detained by Spanish police in Barcelona based on an FBI warrant that asserted he was the developer of the nefarious Neverquest malware.
While an arrest is indeed a major ordeal for any cybercrime gang, others, such as Gozi and Dridex, went through the same occurrence and continue to top the charts. So, what’s been happening with the Neverquest gang?
One Quarter Brings One Big Fall
Looking back at where Neverquest has been the past two years clarifies the size of the usage plunge since Lisov’s pivotal arrest.
IBM X-Force data shows that in 2015, Neverquest was second only to the Dyre Trojan, which topped the financial malware charts that year. In 2016, after Dyre’s disappearance, Neverquest took its place as the most active banking Trojan in the cybercrime arena. X-Force data showed that it was only in late 2016 that new Zeus variations started rising in underground forums and pushed Neverquest down to second rank.
Neverquest started 2017 strong on the malware chart. X-Force data from the beginning of the year shows it still ranked second on the top 10 list, only following the endless number of Zeus factions operating commercial malware.
During the first quarter of 2017, Neverquest’s activity — and subsequently its ranking — on the global banking Trojan charts, dropped rapidly. By the end of the first quarter, it ended up in 10th place, right under the much less prevalent GootKit Trojan.
To understand why this arrest impacted Neverquest so much, let’s consider its modus operandi and the cybergang’s composition for committing fraud.
Neverquest: A High-Profile Targeting Trojan
The Neverquest Trojan, aka Vawtrak, is a Gozi Trojan variation that was discovered by IBM Security researchers in November 2014. It surfaced at a time when other would-be giants such as Dridex and Dyre emerged.
Neverquest’s roots go back to 2000, linking it with organized cybercrime groups such as 76 Service and the HangUp Team, which were Russian Business Network (RBN) partners. This classification means rookies did not conceive or operate the malware, but it was the work of seasoned cybercriminals who had plans to build a cybercrime-as-a-service platform around it.
Having analyzed Neverquest target lists over time, it’s logical to infer that Neverquest, like its peers, had a clear appetite for big money: business banking and investment banking. By 2015, the Trojan’s configuration files started featuring a growing number of bank URLs, targeting those services right around the time the Dyre Wolf attacks were discovered, and unveiled the exact approach organized cybercrime was using to cash in on those targets.
According to X-Force researchers, Neverquest is believed to be a cybercrime-as-a-service platform that supported a number of geo-specific operators who used the malware and botnet to rob bank accounts and share the loot with operators. Similar to the way the Dridex botnet is divided into numbered campaigns and sub-botnets, Neverquest is also programmed to create this distinction: As soon as it lands on a newly infected endpoint, it calls home with a numeric ID that identifies its campaign.
In that way, the botnet is segmented into the different campaigns, allowing its operator to attribute specific configuration instructions to each segment, including the attack M.O., webinjections and more. This method was apparently conceptualized by the Gameover Zeus gang, according to an organized cybercrime 2014 Europol report. This explains why some Neverquest configurations are long and include a large variety of targets, blocked URLs and different attack modes: They are designed to accommodate a number of actors at once, making them heftier than most.
What does Neverquest’s business model have to do with the 2017 plunge in activity? A lot actually, and it’s a human reaction called fear. Neverquest, unlike the GootKit gang for example, is not one close-knit gang; it’s a service to the cybercrime elite. The minute Neverquest’s dubious collaborators saw law enforcement reach one of their trusted parties, they realized the FBI was already too close for comfort and dropped it like it was hot: Campaigns delivering the Neverquest Trojan dropped considerably on Jan. 19, 2017, just a few days after Lisov’s arrest in Spain.
Another Dead Trojan
Is Neverquest gone, or just taking a hiatus of sorts? I wouldn’t be too fast to pronounce Neverquest dead. This malware is linked with longstanding cybercrime groups that date back to the year 2000. The original Ursnif became Gozi, which evolved into Gozi Prinimalka, which eventually became Neverquest. It has been operated by seasoned criminals through the years, and the code is probably still in one of its proponent’s possession.
It is very possible that the Neverquest group is shifting from using that particular malware to evade the attention from law enforcement, but nothing has stopped them from going back to activating it, selling it to another group or modifying it before a future relaunch.
Time will tell. In the meanwhile, keep an eye out on the Sphinx Trojan, which has been rising rapidly and is likely to climb the global chart some more before 2017 is over.
Wait, what? Why Zeus Sphinx?
End of One Quest, Beginning of Another?
Cybercriminals moving from one gang to another is not a rare occurrence. Take, for example, the Dridex Trojan that suddenly donned Dyre-like redirection attacks in January 2016, or the TrickBot Trojan that emerged with all the bells and whistles of the late Dyre Trojan. These were unlikely coincidences, and likely the case of the now-scrammed Neverquest users. The end of a quest, possibly, but where are Neverquest operators headed next? It’s not so hard to figure out.
Let’s note here that Neverquest, like other malware of its type, outsources its distribution in part or in whole. For most of its email spam delivery, X-Force research noted that it was using a network known as the Moskalvzapoe Network — spam delivery serving cybercriminals and others. Delivery via Moskalvzapoe was halted for about a week, from Jan. 19 to Jan. 24, but after that first week, it appears that Moskalvzapoe’s operators took their customer back — this time abandoning Neverquest for the Zeus Sphinx Trojan and dropping it via Moskalvzapoe’s DELoader, aka Terdot.
The group is likely using Sphinx to target banks in Canada. How surprising is it to see this Zeus variation take a life of its own and begin climbing the malware charts this year?
Mitigating Advanced Malware Threats
IBM Security can help banks that wish to learn more about this threat, and assist them in securing their users against Trojan-facilitated cybercrime.
Users wishing to get a few best practices on lowering their risk of infection from banking Trojans can browse to our best practices page for more information.
The following are Neverquest samples analyzed by IBM X-Force research in January 2017, before the drop in campaigns began:
NQ Dropper MD5:
NQ Sample MD5: