IBM Trusteer researchers observed a new variant of the Neverquest malware over this past November. We observed a large increase in infection numbers, which led us to discover the updated threat. This new variant performs two new major changes, with a modified installation process and a new communication pattern.

This variant targets financial institutions worldwide, with a focus on North America. The following graphs illustrate the number of infections worldwide based on IBM Security Trusteer Rapport users during the past three months:

Figure 1: Distribution of Neverquest infection rate per the three continents with the highest number of infections


Figure 2: Worldwide infection rate of Neverquest per the past three months

Neverquest Infection Process and Installation

During our research, we discovered that Neverquest infections are supported by multiple downloaders, including Zemot, which was dropped by the Kuluoz phishing emails campaign, and the Chanitor downloader that uses Tor2web as a proxy to fetch its payload, which is hosted on the Tor network. We also noticed that drive-by exploit kits support the distribution of Neverquest, as seen in Stage 1 of Figure 3.

Figure 3: Infection methods

Two-Stage Installation Process

Once the dropper is being executed in the compromised machine, it drops the Neverquest DLL Module in the %TEMP% folder, then uses regsvr32.exe to execute it.

WriteFile: %TEMP%\~001BB3DB.tmp<br/>

Command line: regsvr32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~001BB3DB.tmp"

Next, it creates a copy of itself in %Appdata% or %Programdata% (Windows XP or Windows 7, respectively), which can be seen in Stage 2 and Stage 3 of Figure 3.

WriteFile: C:\Documents and Settings\All Users\Application Data\AudbeMtumh\ToyaXize.bwx

After that, it uses the CreateRemoteThreat application programming interface function to inject the malicious code into numerous legitimate Windows processes. Finally, the dropper is deleted by the injected Explorer.exe process. Interestingly, this type of malware deploys several tricks in order to bypass removal by security products, such as “recurring runkey” and a “watchdog” for its DLL module. Recurring runkey is a technique in which malware keeps on writing its persistency entry in the Windows registry using an infinite loop that will assure that even if this entry is removed, it will be rewritten. Watchdog is a technique made by malware that promises its vital components will not be removed. The malware taps the location of its components and reproduces them once they’re terminated. When one of them is being deleted, it is immediately reproduced by an injected process.

There is also a change within the two-stage installation process related to its configuration, which is being written to a new registry entry.

In old variants:

HKCU\Software\AppDataLow\{GUID_A}\{GUID_B}

HKCU\Software\Classes\CLSID\{GUID_A}\{GUID_B}


In the new variant:

HKCU\Software\{GUID_A}\glpiglmhfdpmcf

Note that the GUID referenced above is being calculated by a known algorithm that was implemented since the first variants of Neverquest, so we will not describe this detail here.

C&C Communication

Neverquest implements a new communication pattern with its command-and-control server, as seen below:

Figure 4: HTTP-POST request made by Neverquest

The following URL scheme was found in the malicious code:

/data/{TYPE:Hb}.php?i={PROJECT_ID:Hd}&data={BOT_ID:Hd}&hash={BUILD:Hw}=

Values representation:

{TYPE:Hb} – Request type, which includes the following options:

  • 00: Keep-alive connection
  • 01: Form-grabbing
  • 02: File request

{PROJECT_ID:Hd}, Internal ID
{BOT_ID:Hd}, Bot ID
{BUILD:Hw}, Build ID

Additional Features

Among Neverquest’s tricks, you will find video and screenshot capture, man-in-the-middle and man-in-the-browser capabilities and a “Pony module,” which enables it to harvest email clients, file transfer protocol and stored browser credentials. It also uses SOCKS Proxy, virtual network computing and back-connect components in order to gain control of compromised endpoints. Additionally, we have seen a webinjects configuration that determines how it operates locally, which contains a list of 300 targeted entities worldwide. Although most of them are financial, there are other interesting sectors such as gaming, social networks and media.

Conclusion

We have seen Neverquest evolve and change its form of activity several times in the past year, and with each iteration, the reason for the change is to try to bypass security products. Security products that implement a naive approach will be bypassed with every change that Neverquest implements until the new modification is studied. Until then, these products are ineffective. IBM Security Trusteer researchers are closely monitoring this variant while providing appropriate protection against this new type of financial malware and many others. These solutions can detect, mitigate and remediate infections to protect the enterprise and your customers.

Samples

  • aa11dfd8b7f848595d4252db8f31ca05 (First seen Nov. 27, 2014)
  • 75f17f66715757ceac9d33efaaead261 (First seen Dec. 1, 2014)

IBM Trusteer’s Threat and Intelligence group comprises leading professionals in malware and intelligence research who detect and analyze new, emerging threats in the modern cybercrime landscape. This post was written based on research committed by Tal Darsan, a Trusteer researcher.

More from Malware

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read