Since the beginning of 2014 F5 SOC Malware investigations resulted in some new methods of Malware attacks operations, mainly in Eastern Europe where the Neverquest Malware was detected.

Neverquest, also known as Vawtrak, is a banking Trojan that has been active since around July 2013, and is being used to attack a number of popular banking websites.

Similar to the known Zeus banking Trojan, after infecting a system, the malware steals login credentials and sensitive information from the infected machine, gaining the ability to inject scripts to the victim’s browser and perform transactions. It also gives the attacker VNC access and SOCKS proxy server on the victim’s computer in order to gain full control of the infected machine. Neverquest uses social engineering to urge the victim to install a malicious application on his mobile device, which will forward sensitive SMS messages used for second factor authentication.

Capture

Once the infected user enter the bank login page the MITB attack is getting activated and the victim is asked to enter his/her mobile phone number to download a “security certificate.” After the user enters his phone number, an SMS containing a link for downloading the malicious APK is sent to his phone. Each targeted entity has its own specially crafted APK. Here is a sample of the Android APK with the easy step by step installation guide.

image

 

To download the full F5 SOC Neverquest Malware Analysis Report click here.

An Executive Summary of the report can be downloaded here.