A new version of the notorious Neverquest Trojan, used for financial information thefts, has been found in November. It goes by the name of Vawtrack and is being spread out through several malware droppers, Zemot being one of them. The version is known to be spread out mostly in North America, followed by Europe and Asia. Zemot is part of the Upatre family, often used by the Asprox / Kuluoz botnet operators to filter in additional malicious software into already affected computers.
Modified Installation Process
Security experts, part of the IBM Trusteer’s Threat and Intelligence group observed that the new Neverquest Trojan version has a modified installation process. The communication with the control and command (C&C) server is conducted through the Tor2Web proxy network. Connections into this network are encrypted and randomized and cannot be dismantled which makes the Vawtrack Trojan almost impossible to track.
In a blog post on the subject Trusteer engineer Ilya Kolmanovich states: “ …Neverquest infections are supported by multiple downloaders, including Zemot, which was dropped by the Kuluoz phishing emails campaign, and the Chaintor downloader that uses Tor2web as a proxy to fetch its payload, which is hosted on the Tor network. We also noticed that drive-by exploit kits support the distribution of Neverquest …”.
The change in the infection process consists of two parts – one placing the malicious DLL payload into the “%temp%” folder of the machine and the other starting the “regsvr32.exe” from the command-line tool. Once executed on a machine the Trojan infiltrates malicious code and disappears from the system.
Bypassing Anti-Virus Software
The interesting thing with Vawtrack is that it uses several tricks to bypass virus-detecting tools. One of them is having something called a “recurring runkey” – technique that guarantees the Trojan’s persistence entry into the system even if it has been removed by an antivirus software. The other is called “watchdog” and is being used as a part of its DLL module, ensuring that the vital component of the malware will not be removed from the machine.
The new Neverquest version has new features like being able to take screenshots and videos of the machines’ desktops. It also has a “Pony” module integrated, its aim being to steal certificates stored on browsers, email and FTP servers credentials and keys.
It seems the newest Neverquest version contains a list of more than 300 targets all over the world, not all of them being from the financial sector. Some of them are for games, social networks and media – this being a clear sign that the crooks are scamming every information that can be useful for stealing means.
→“We have seen Neverquest evolve and change its form of activity several times in the past year, and with each iteration, the reason for the change is to try to bypass security products. Security products that implement a naive approach will be bypassed with every change that Neverquest implements until the new modification is studied. Until then, these products are ineffective.” , concludes Trusteer engineer Ilya Kolmanovich.