IBM Trusteer researchers observed a new variant of the Neverquest malware over this past November. We observed a large increase in infection numbers, which led us to discover the updated threat. This new variant performs two new major changes, with a modified installation process and a new communication pattern.

This variant targets financial institutions worldwide, with a focus on North America. The following graphs illustrate the number of infections worldwide based on IBM Security Trusteer Rapport users during the past three months:

Figure 1: Distribution of Neverquest infection rate per the three continents with the highest number of infections

Figure 2: Worldwide infection rate of Neverquest per the past three months

Neverquest Infection Process and Installation

During our research, we discovered that Neverquest infections are supported by multiple downloaders, including Zemot, which was dropped by the Kuluoz phishing emails campaign, and the Chanitor downloader that uses Tor2web as a proxy to fetch its payload, which is hosted on the Tor network. We also noticed that drive-by exploit kits support the distribution of Neverquest, as seen in Stage 1 of Figure 3.

Figure 3: Infection methods

Two-Stage Installation Process

Once the dropper is being executed in the compromised machine, it drops the Neverquest DLL Module in the %TEMP% folder, then uses regsvr32.exe to execute it.

WriteFile: %TEMP%\~001BB3DB.tmp<br/>

Command line: regsvr32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~001BB3DB.tmp"

Next, it creates a copy of itself in %Appdata% or %Programdata% (Windows XP or Windows 7, respectively), which can be seen in Stage 2 and Stage 3 of Figure 3.

WriteFile: C:\Documents and Settings\All Users\Application Data\AudbeMtumh\ToyaXize.bwx

After that, it uses the CreateRemoteThreat application programming interface function to inject the malicious code into numerous legitimate Windows processes. Finally, the dropper is deleted by the injected Explorer.exe process. Interestingly, this type of malware deploys several tricks in order to bypass removal by security products, such as “recurring runkey” and a “watchdog” for its DLL module. Recurring runkey is a technique in which malware keeps on writing its persistency entry in the Windows registry using an infinite loop that will assure that even if this entry is removed, it will be rewritten. Watchdog is a technique made by malware that promises its vital components will not be removed. The malware taps the location of its components and reproduces them once they’re terminated. When one of them is being deleted, it is immediately reproduced by an injected process.

There is also a change within the two-stage installation process related to its configuration, which is being written to a new registry entry.

In old variants:



In the new variant:


Note that the GUID referenced above is being calculated by a known algorithm that was implemented since the first variants of Neverquest, so we will not describe this detail here.

C&C Communication

Neverquest implements a new communication pattern with its command-and-control server, as seen below:

Figure 4: HTTP-POST request made by Neverquest

The following URL scheme was found in the malicious code:


Values representation:

{TYPE:Hb} – Request type, which includes the following options:

  • 00: Keep-alive connection
  • 01: Form-grabbing
  • 02: File request

{PROJECT_ID:Hd}, Internal ID
{BOT_ID:Hd}, Bot ID
{BUILD:Hw}, Build ID

Additional Features

Among Neverquest’s tricks, you will find video and screenshot capture, man-in-the-middle and man-in-the-browser capabilities and a “Pony module,” which enables it to harvest email clients, file transfer protocol and stored browser credentials. It also uses SOCKS Proxy, virtual network computing and back-connect components in order to gain control of compromised endpoints. Additionally, we have seen a webinjects configuration that determines how it operates locally, which contains a list of 300 targeted entities worldwide. Although most of them are financial, there are other interesting sectors such as gaming, social networks and media.


We have seen Neverquest evolve and change its form of activity several times in the past year, and with each iteration, the reason for the change is to try to bypass security products. Security products that implement a naive approach will be bypassed with every change that Neverquest implements until the new modification is studied. Until then, these products are ineffective. IBM Security Trusteer researchers are closely monitoring this variant while providing appropriate protection against this new type of financial malware and many others. These solutions can detect, mitigate and remediate infections to protect the enterprise and your customers.


  • aa11dfd8b7f848595d4252db8f31ca05 (First seen Nov. 27, 2014)
  • 75f17f66715757ceac9d33efaaead261 (First seen Dec. 1, 2014)

IBM Trusteer’s Threat and Intelligence group comprises leading professionals in malware and intelligence research who detect and analyze new, emerging threats in the modern cybercrime landscape. This post was written based on research committed by Tal Darsan, a Trusteer researcher.

more from Malware

Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine

Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate "Trickbot group" has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…

Countdown to Ransomware: Analysis of Ransomware Attack Timelines

This research was made possible through the data collection efforts of Maleesha Perera, Joffrin Alexander, and Alana Quinones Garcia. Key Highlights The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021:  2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware attacks investigated by X-Force Incident…