Light Dark
December 5, 2014 By Ilya Kolmanovich
Tal Darsan
4 min read
Malware

IBM Trusteer researchers observed a new variant of the Neverquest malware over this past November. We observed a large increase in infection numbers, which led us to discover the updated threat. This new variant performs two new major changes, with a modified installation process and a new communication pattern.

This variant targets financial institutions worldwide, with a focus on North America. The following graphs illustrate the number of infections worldwide based on IBM Security Trusteer Rapport users during the past three months:

Figure 1: Distribution of Neverquest infection rate per the three continents with the highest number of infections


Figure 2: Worldwide infection rate of Neverquest per the past three months

Neverquest Infection Process and Installation

During our research, we discovered that Neverquest infections are supported by multiple downloaders, including Zemot, which was dropped by the Kuluoz phishing emails campaign, and the Chanitor downloader that uses Tor2web as a proxy to fetch its payload, which is hosted on the Tor network. We also noticed that drive-by exploit kits support the distribution of Neverquest, as seen in Stage 1 of Figure 3.

Figure 3: Infection methods

Two-Stage Installation Process

Once the dropper is being executed in the compromised machine, it drops the Neverquest DLL Module in the %TEMP% folder, then uses regsvr32.exe to execute it.

WriteFile: %TEMP%\~001BB3DB.tmp<br/>

Command line: regsvr32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~001BB3DB.tmp"

Next, it creates a copy of itself in %Appdata% or %Programdata% (Windows XP or Windows 7, respectively), which can be seen in Stage 2 and Stage 3 of Figure 3.

WriteFile: C:\Documents and Settings\All Users\Application Data\AudbeMtumh\ToyaXize.bwx

After that, it uses the CreateRemoteThreat application programming interface function to inject the malicious code into numerous legitimate Windows processes. Finally, the dropper is deleted by the injected Explorer.exe process. Interestingly, this type of malware deploys several tricks in order to bypass removal by security products, such as “recurring runkey” and a “watchdog” for its DLL module. Recurring runkey is a technique in which malware keeps on writing its persistency entry in the Windows registry using an infinite loop that will assure that even if this entry is removed, it will be rewritten. Watchdog is a technique made by malware that promises its vital components will not be removed. The malware taps the location of its components and reproduces them once they’re terminated. When one of them is being deleted, it is immediately reproduced by an injected process.

There is also a change within the two-stage installation process related to its configuration, which is being written to a new registry entry.

In old variants:

HKCU\Software\AppDataLow\{GUID_A}\{GUID_B}

HKCU\Software\Classes\CLSID\{GUID_A}\{GUID_B}

In the new variant:

HKCU\Software\{GUID_A}\glpiglmhfdpmcf

Note that the GUID referenced above is being calculated by a known algorithm that was implemented since the first variants of Neverquest, so we will not describe this detail here.

C&C Communication

Neverquest implements a new communication pattern with its command-and-control server, as seen below:

Figure 4: HTTP-POST request made by Neverquest

The following URL scheme was found in the malicious code:

/data/{TYPE:Hb}.php?i={PROJECT_ID:Hd}&data={BOT_ID:Hd}&hash={BUILD:Hw}=

Values representation:

{TYPE:Hb} – Request type, which includes the following options:

  • 00: Keep-alive connection
  • 01: Form-grabbing
  • 02: File request

{PROJECT_ID:Hd}, Internal ID
{BOT_ID:Hd}, Bot ID
{BUILD:Hw}, Build ID

Additional Features

Among Neverquest’s tricks, you will find video and screenshot capture, man-in-the-middle and man-in-the-browser capabilities and a “Pony module,” which enables it to harvest email clients, file transfer protocol and stored browser credentials. It also uses SOCKS Proxy, virtual network computing and back-connect components in order to gain control of compromised endpoints. Additionally, we have seen a webinjects configuration that determines how it operates locally, which contains a list of 300 targeted entities worldwide. Although most of them are financial, there are other interesting sectors such as gaming, social networks and media.

Conclusion

We have seen Neverquest evolve and change its form of activity several times in the past year, and with each iteration, the reason for the change is to try to bypass security products. Security products that implement a naive approach will be bypassed with every change that Neverquest implements until the new modification is studied. Until then, these products are ineffective. IBM Security Trusteer researchers are closely monitoring this variant while providing appropriate protection against this new type of financial malware and many others. These solutions can detect, mitigate and remediate infections to protect the enterprise and your customers.

Samples

  • aa11dfd8b7f848595d4252db8f31ca05 (First seen Nov. 27, 2014)
  • 75f17f66715757ceac9d33efaaead261 (First seen Dec. 1, 2014)

IBM Trusteer’s Threat and Intelligence group comprises leading professionals in malware and intelligence research who detect and analyze new, emerging threats in the modern cybercrime landscape. This post was written based on research committed by Tal Darsan, a Trusteer researcher.

 |  |  |  |  |  | 
Ilya Kolmanovich
Senior Threat Researcher
Tal Darsan
Manager, Threat and Intelligence Group at IBM Security (Trusteer)

More from Malware
November 12, 2024

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

October 16, 2024

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

March 11, 2024

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature