Neverquest: Although Japan is adopting unique and sometimes incompatible technological standards, which are often described as Galapagosization, but when it comes to bank malware, the country is in serious danger. Attacks to online banking are not a new phenomenon in Japan and the country has been called upon to face many major attacks last year. For example Infostealer.Torpplar targeted confidential information specifically about online banks and credit cards in Japan. In addition, its variants Infostealer.Bankeiya they use various methods including zero-day vulnerabilities and exploitkits targeting Japanese people users.. Japan's national agency in a report said that amounts of up to $11,840,000 have been stolen in 2013 from cyber attacks, while from May 9, 2014 to date, $14,170,000 has been stolen, already surpassing last year's total and still having half a year to go. we pass
Another famous banking Trojan, Neverquest or Trojan.Snifula, continues to evolve and develop new features to steal more confidential online banking information than the last time we mentioned it. Symantec has observed the recent activity of Neverquest, which specializes in spying, in recent months.
Our measurement systems show that since last December more than half of Snifula's incidents have occurred in the United States or Japan.
Figure 1. Snifula incidents per country
The chart shown in Figure 2 shows the number of infections caused by Snifula per country over a month and clearly shows a notable increase in infections in Japan at the end of March.
Image 2. Number of infections per country for one month.
As reported recently on the Snifula blog, the threat is under way from 2006. Snifula trojan contains many features for intercepting infringing information from infringing computers, including:
• Keystroke logging
- Screenshot and video capture
• Remote control
• Extract and intercept stored username and password
• Digitizing certificate fraud
• Man-in-the-browser attacks (MitB)
Once Snifula infects a computer, it downloads a configuration file from a command-and-control (C&C) server. The configuration file is specially made for each purpose. For example, Figures 3, 4 and 5 show configuration files for the US, Germany and Japan.
Figure 3. Configuration File for the US
Figure 4. Configuration file for Germany
Figure 5. Configuration file for Japan
Configuration files mainly consist of two parts. The first part is recommended by code, ο οποίος χρησιμοποιείται για επιθέσεις MitB. Αυτός ο κώδικας εισχωρεί σε στοχευμένες ιστοσελίδες για να εμφανίσει παραπλανητικά μηνύματα, τα οποία συχνά ζητούν από τους χρήστες να υποβάλουν ευαίσθητα δεδομένα, όπως προσωπικές πληροφορίες, προσωπικούς αριθμούς αναγνώρισης (PIN), αριθμούς επαλήθευσης συναλλαγών (TAN), codes ExternalTransfer (ETP), TelephoneBanking codes (TBP), OneTime codes (OTP), answers to security questions or any other information required to transfer money.
The second part of each file configuration consists of a list of strings. The threat monitors the web pages that users visit and starts the connection when any of the strings in the configuration file match part of the URL or the content of the web page. There are no significant differences between the configurations for the US and Japan in terms of the list of strings. We can see about 400 strings related to social networking, customer relationship management, Web mail, messaging, cloud computing, storage, finance, online movies, photo sharing and gaming services. It is a fact that most online services, both for consumers and corporate users, are included.
The configuration file for Japan, used since the latest version of Snifula, targets only eight major Japanese financial institutions, compared to the ten listed in the German configuration file and more than 50 listed in the US.
A total of eight Japanese financial services companies have been targeted for the Snifula variant, which may not be large enough, but the number is expected to increase significantly. Another malware family, which is widely known and is aimed at financial incentives, is the Trojan.Zbot, which is known to target local banks, which are less known except of their areas of action. Due to the source code for Zbot being leaked online, the successful methods it uses and its techniques are now known by the underground community. Considering the above there is no longer any doubt that Snifula will or has already updated to target financial services companies in Japan.
In our time, we rely on many online services to make financial transactions, send emails, get in touch with friends and share data with other people both in our workplace and in our personal lives. Unfortunately, these services are a primary target for attackers. To protect you, Symantec recommends that you keep your computer and security software up to date.
Symantec provides the following for the protection against this threat:
Antivirus
IPS
