New Neverquest Variant Spotted in the Wild

IBM Trusteer researchers observed a new variant of the Neverquest malware over this past November. We observed a large increase in infection numbers, which led us to discover the updated threat. This new variant performs two new major changes, with a modified installation process and a new communication pattern.

This variant targets financial institutions worldwide, with a focus on North America. The following graphs illustrate the number of infections worldwide based on IBM Security Trusteer Rapport users during the past three months:

Distribution of Neverquest infection rate per the three continents with the highest amount of infections

Figure 1: Distribution of Neverquest infection rate per the three continents with the highest number of infections

Worldwide infection rate of Neverquest per the last three months

Figure 2: Worldwide infection rate of Neverquest per the past three months

Neverquest Infection Process and Installation

During our research, we discovered that Neverquest infections are supported by multiple downloaders, including Zemot, which was dropped by the Kuluoz phishing emails campaign, and the Chanitor downloader that uses Tor2web as a proxy to fetch its payload, which is hosted on the Tor network. We also noticed that drive-by exploit kits support the distribution of Neverquest, as seen in Stage 1 of Figure 3.

Infection methods

Figure 3: Infection methods

Two-Stage Installation Process

Once the dropper is being executed in the compromised machine, it drops the Neverquest DLL Module in the %TEMP% folder, then uses regsvr32.exe to execute it.

 WriteFile: %TEMP%\~001BB3DB.tmp<br/>
Command line: regsvr32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~001BB3DB.tmp"

Next, it creates a copy of itself in %Appdata% or %Programdata% (Windows XP or Windows 7, respectively), which can be seen in Stage 2 and Stage 3 of Figure 3.

WriteFile: C:\Documents and Settings\All Users\Application Data\AudbeMtumh\ToyaXize.bwx

After that, it uses the CreateRemoteThreat application programming interface function to inject the malicious code into numerous legitimate Windows processes. Finally, the dropper is deleted by the injected Explorer.exe process. Interestingly, this type of malware deploys several tricks in order to bypass removal by security products, such as “recurring runkey” and a “watchdog” for its DLL module. Recurring runkey is a technique in which malware keeps on writing its persistency entry in the Windows registry using an infinite loop that will assure that even if this entry is removed, it will be rewritten. Watchdog is a technique made by malware that promises its vital components will not be removed. The malware taps the location of its components and reproduces them once they’re terminated. When one of them is being deleted, it is immediately reproduced by an injected process.

There is also a change within the two-stage installation process related to its configuration, which is being written to a new registry entry.

In old variants:

HKCU\Software\AppDataLow\{GUID_A}\{GUID_B}
HKCU\Software\Classes\CLSID\{GUID_A}\{GUID_B}

In the new variant:

HKCU\Software\{GUID_A}\glpiglmhfdpmcf

Note that the GUID referenced above is being calculated by a known algorithm that was implemented since the first variants of Neverquest, so we will not describe this detail here.

C&C Communication

Neverquest implements a new communication pattern with its command-and-control server, as seen below:

HTTP-POST Request made by Neverquest

Figure 4: HTTP-POST request made by Neverquest

The following URL scheme was found in the malicious code:

/data/{TYPE:Hb}.php?i={PROJECT_ID:Hd}&data={BOT_ID:Hd}&hash={BUILD:Hw}=

Values representation:

{TYPE:Hb} – Request type, which includes the following options:

  • 00: Keep-alive connection
  • 01: Form-grabbing
  • 02: File request

{PROJECT_ID:Hd}, Internal ID
{BOT_ID:Hd}, Bot ID
{BUILD:Hw}, Build ID

Additional Features

Among Neverquest’s tricks, you will find video and screenshot capture, man-in-the-middle and man-in-the-browser capabilities and a “Pony module,” which enables it to harvest email clients, file transfer protocol and stored browser credentials. It also uses SOCKS Proxy, virtual network computing and back-connect components in order to gain control of compromised endpoints. Additionally, we have seen a webinjects configuration that determines how it operates locally, which contains a list of 300 targeted entities worldwide. Although most of them are financial, there are other interesting sectors such as gaming, social networks and media.

Conclusion

We have seen Neverquest evolve and change its form of activity several times in the past year, and with each iteration, the reason for the change is to try to bypass security products. Security products that implement a naive approach will be bypassed with every change that Neverquest implements until the new modification is studied. Until then, these products are ineffective. IBM Security Trusteer researchers are closely monitoring this variant while providing appropriate protection against this new type of financial malware and many others. These solutions can detect, mitigate and remediate infections to protect the enterprise and your customers.

Samples

  • aa11dfd8b7f848595d4252db8f31ca05 (First seen Nov. 27, 2014)
  • 75f17f66715757ceac9d33efaaead261 (First seen Dec. 1, 2014)

IBM Trusteer’s Threat and Intelligence group comprises leading professionals in malware and intelligence research who detect and analyze new, emerging threats in the modern cybercrime landscape. This post was written based on research committed by Tal Darsan, a Trusteer researcher.

Ilya Kolmanovich

Senior Threat Researcher

A security professional with more than 9 years of experience in researching malware and operating a malware research...