Light Dark
December 5, 2014 By Ilya Kolmanovich
Tal Darsan
4 min read
Malware

IBM Trusteer researchers observed a new variant of the Neverquest malware over this past November. We observed a large increase in infection numbers, which led us to discover the updated threat. This new variant performs two new major changes, with a modified installation process and a new communication pattern.

This variant targets financial institutions worldwide, with a focus on North America. The following graphs illustrate the number of infections worldwide based on IBM Security Trusteer Rapport users during the past three months:

Figure 1: Distribution of Neverquest infection rate per the three continents with the highest number of infections


Figure 2: Worldwide infection rate of Neverquest per the past three months

Neverquest Infection Process and Installation

During our research, we discovered that Neverquest infections are supported by multiple downloaders, including Zemot, which was dropped by the Kuluoz phishing emails campaign, and the Chanitor downloader that uses Tor2web as a proxy to fetch its payload, which is hosted on the Tor network. We also noticed that drive-by exploit kits support the distribution of Neverquest, as seen in Stage 1 of Figure 3.

Figure 3: Infection methods

Two-Stage Installation Process

Once the dropper is being executed in the compromised machine, it drops the Neverquest DLL Module in the %TEMP% folder, then uses regsvr32.exe to execute it.

WriteFile: %TEMP%\~001BB3DB.tmp<br/>

Command line: regsvr32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~001BB3DB.tmp"

Next, it creates a copy of itself in %Appdata% or %Programdata% (Windows XP or Windows 7, respectively), which can be seen in Stage 2 and Stage 3 of Figure 3.

WriteFile: C:\Documents and Settings\All Users\Application Data\AudbeMtumh\ToyaXize.bwx

After that, it uses the CreateRemoteThreat application programming interface function to inject the malicious code into numerous legitimate Windows processes. Finally, the dropper is deleted by the injected Explorer.exe process. Interestingly, this type of malware deploys several tricks in order to bypass removal by security products, such as “recurring runkey” and a “watchdog” for its DLL module. Recurring runkey is a technique in which malware keeps on writing its persistency entry in the Windows registry using an infinite loop that will assure that even if this entry is removed, it will be rewritten. Watchdog is a technique made by malware that promises its vital components will not be removed. The malware taps the location of its components and reproduces them once they’re terminated. When one of them is being deleted, it is immediately reproduced by an injected process.

There is also a change within the two-stage installation process related to its configuration, which is being written to a new registry entry.

In old variants:

HKCU\Software\AppDataLow\{GUID_A}\{GUID_B}

HKCU\Software\Classes\CLSID\{GUID_A}\{GUID_B}

In the new variant:

HKCU\Software\{GUID_A}\glpiglmhfdpmcf

Note that the GUID referenced above is being calculated by a known algorithm that was implemented since the first variants of Neverquest, so we will not describe this detail here.

C&C Communication

Neverquest implements a new communication pattern with its command-and-control server, as seen below:

Figure 4: HTTP-POST request made by Neverquest

The following URL scheme was found in the malicious code:

/data/{TYPE:Hb}.php?i={PROJECT_ID:Hd}&data={BOT_ID:Hd}&hash={BUILD:Hw}=

Values representation:

{TYPE:Hb} – Request type, which includes the following options:

  • 00: Keep-alive connection
  • 01: Form-grabbing
  • 02: File request

{PROJECT_ID:Hd}, Internal ID
{BOT_ID:Hd}, Bot ID
{BUILD:Hw}, Build ID

Additional Features

Among Neverquest’s tricks, you will find video and screenshot capture, man-in-the-middle and man-in-the-browser capabilities and a “Pony module,” which enables it to harvest email clients, file transfer protocol and stored browser credentials. It also uses SOCKS Proxy, virtual network computing and back-connect components in order to gain control of compromised endpoints. Additionally, we have seen a webinjects configuration that determines how it operates locally, which contains a list of 300 targeted entities worldwide. Although most of them are financial, there are other interesting sectors such as gaming, social networks and media.

Conclusion

We have seen Neverquest evolve and change its form of activity several times in the past year, and with each iteration, the reason for the change is to try to bypass security products. Security products that implement a naive approach will be bypassed with every change that Neverquest implements until the new modification is studied. Until then, these products are ineffective. IBM Security Trusteer researchers are closely monitoring this variant while providing appropriate protection against this new type of financial malware and many others. These solutions can detect, mitigate and remediate infections to protect the enterprise and your customers.

Samples

  • aa11dfd8b7f848595d4252db8f31ca05 (First seen Nov. 27, 2014)
  • 75f17f66715757ceac9d33efaaead261 (First seen Dec. 1, 2014)

IBM Trusteer’s Threat and Intelligence group comprises leading professionals in malware and intelligence research who detect and analyze new, emerging threats in the modern cybercrime landscape. This post was written based on research committed by Tal Darsan, a Trusteer researcher.

 |  |  |  |  |  | 
Ilya Kolmanovich
Senior Threat Researcher
Tal Darsan
Manager, Threat and Intelligence Group at IBM Security (Trusteer)

More from Malware
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

June 6, 2023

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature