By: ASERT Research Team
On March 31st, Arbor’s Security Engineering & Response Team (ASERT) published a detailed threat brief on the Neverquest malware for Arbor customers. Along with thousands of IOC’s (indicators of compromise), the brief details Neverquest’s current inner workings and describes some reversing techniques ASERT uses to unravel and monitor this stealthy and quickly evolving malware. Applying this research at scale to malware and data acquired by our global ATLAS initiative allows us to develop targeted defenses and security context that enables customers to mitigate advanced threats and enhance their security posture over time .
This blog post provides excerpts from the Neverquest threat brief along with some new data that was not available at the time the brief was released to customers. In doing so, it also highlights the results of ASERT research activities that feed Arbor products.
Historical Threat Context and Prior Research
Originally, a malware family known as Ursniff was used to build newer malware called Gozi. After some success and a time of inactivity, Gozi was revitalized as Gozi Prinimalka, which has evolved into the modern Vawtrak/Neverquest (referred to as ‘Neverquest’ herein). Foundational threat analysis work has been performed for years on the Gozi banking Trojan and the Russian threat actors associated with it. From the “Hang-up Team” running the illicit business 76service all the way to the modern era, a group of experienced cybercriminals have been working this threat, apparently with substantial success that has kept the operation rolling for years. Recent changes in mid-2014 have brought the threat back to the attention of the security industry and law enforcement. The threat evolves frequently, and has been propagated by various tactics including but not limited to spambot delivery with the Kulouz spambot, exploit kit distribution, malicious MS-Word documents, and downloads from the Chanitor downloader malware. Researchers from Sophos published operational details of the threat in December 2014 that discuss the evolution of Neverquest into a crimeware-as-a-service platform. In January of 2015, additional observations were made public about the expansion of the criminal infrastructure and targets by researchers at PhishLabs.
On March 24, 2015 anti-malware firm AVG published research about the latest Neverquest activity, including the use of tor2web domains to download updates. Tor2web domains have been visible inside Neverquest binaries for months, however the actual use of these sites was not observed within our analysis environment until mid-March 2015.
Readers with the need or desire for a more complete picture of this evolving malware are encouraged to review this important prior work.
Malware Threat Overview
Having evolved from earlier malcode, Neverquest incorporates advanced techniques honed from years of underground experience. In the quest for financial gain, Neverquest is used to gain access to victim bank accounts and other financial processing systems on behalf of the compromised victim. Stolen accounts are harvested and delivered back to the threat actors behind the attack campaign. These credentials can be used in conjunction with a series of webinjects where Neverquest injects malicious code into an otherwise authorized and legitimate web session that has been selected by URL or keyword criteria, AKA “man in the browser”. The capability to leverage webinjects and proxy through victim machines allows the threat actors to bypass security restrictions such as multi-factor authentication and encryption, as well as to take advantage of existing session data and transactions. More basic credential theft capabilities are present as well since Neverquest has incorporated, in form or in essence, the functionality of the famous Pony Loader malware which scours a system for saved credentials that are then exfiltrated to the attackers. Threat actors also can connect via a Virtual Network Computing (VNC) interface to the target, and have also been observed proxying transactions through VPN’s likely to obfuscate the trail that might lead back to themselves or their criminal infrastructure. Other functionality includes the ability to steal certificates and cookies, execute commands, locate files on the disk, setup a SOCKS server, download bot updates, and more.
Investigation suggests that the threat actors are coordinated and experienced and continually evolve their tactics, techniques, and procedures (TTP’s) in response to security industry advancements and public disclosures. Examples of this evolution are the increased use of encryption to protect the configuration elements from easy interception at multiple levels, an increase in the number of targets and C2 domains being pushed in configurations, use of steganography to update C2 lists, and emergent use of the tor anonymity network to obfuscate and protect back-end criminal server infrastructure.
Neverquest typically contains an internal, first-stage configuration stored within the malware binary itself. This configuration provides initial static parameters that will be used during the first contact with C2 infrastructure. First-stage configuration information includes the following:
- C2 information: A list of IP addresses and/or domain names used for C2. Each malware binary contains numerous C2’s, with lists as small as four C2 and up to 28 C2.
- Project ID: a numerical value associated with the campaign at hand. Each project ID appears to be useful for partitioning the botnet into active campaigns that may be targeting one or more targets.
- Update version: the version of the software.
- Build: The build number of the software.
- URI Template: a format string that will be used, along with dynamically and statically generated data in the POST to the C2.
- Tor2web domains: a listing of tor2web domains (not found in all variants).
- Encryption seed material: various encryption seeds used dynamically by the bot in encryption and decryption processes.
Once Neverquest reaches out to its C2, it receives a larger configuration file that contains a wealth of target information. This second-stage configuration contains three general sections:
- Web Inject Rules: instruct where to inject malicious content into an HTTP session
Each injection rule is formatted as such:
($target_url_regex, $injection_point, $content_to_be_injected, $flags)
(‘client.schwab.com/Accounts/’, ‘</body>’, ‘<script>\r\nLoadPageGood();\r\n</script>\r\n</body>’, ‘\x0c\x07 ‘)
- Trigger URL’s: Theft of HTTP requests
The Trigger URL’s are a list of URL’s that will have their HTTP requests forwarded to a Neverquest C2.
Each trigger URL is formatted as ($trigger_url, $flags)
- Trigger Strings: Theft of HTTP responses
When Neverquest encounters a trigger string in any HTTP response, it will send a copy of that response to a C2.
Neverquest is a global phenomenon
As of March 27th, ASERT’s collection of Neverquest malware artifacts was as follows:
Our sample set indicates that 25 different countries are hosting at least one site targeted by a Neverquest webinject. While there are many ways to assess the degree to which a given country is impacted by Neverquest, we offer two below. The first chart ranks the 25 countries according to the number of different Neverquest project ID’s (campaigns) targeting each country. Note that a single project ID typically contains webinjects for sites in multiple countries:
As an example, the graph above tells us that 72% (36 of 50) of all project ID’s in our sample set contain a webinject URL targeting a site in Great Britain.
Another way to view Neverquest country impact is to look at the geo-location data for the IP addresses of the sites associated with Neverquest webinject URLs. This data is graphed in Figure 2. Note that the line for the United States is cut off so as not to obscure the rest of the chart. While the chart cuts off at 30, there are 230 IP addresses associated with US sites targeted by our current list of Neverquest webinjects:
To the degree it assists with interpreting these graphs, we note that while Canada (CA) ranked 8th, in Figure 1, based on the 25 different Neverquest Project ID’s targeting Canada, it ranks 2nd in Figure 2 in terms of the number of IP addresses in Canada hosting sites targeted by Neverquest.
We can also determine from the prior two charts that the 27 different project ID’s targeting Saudi Arabia (SA), are all targeting the same single site within Saudi Arabia.
As noted above, a single Neverquest project ID usually targets different domains hosted in various countries. Similarly, different Neverquest project ID’s often target the same domains. The following chart graphically illustrates the connections between the 50 Neverquest project ID’s (yellow circles) and the 25 targeted countries (blue circles):
As visually suggested by the diagram, there exist certain groupings of project ID’s and countries. Indeed there are ten sets of Neverquest project ID’s in our sample set such that all project ID’s within a given set target the exact same countries:
Different project ID’s with the same targets lends credence to the Crimeware as a Service model envisioned by the Sophos paper. For example, different adversaries may target the same set of victims using different campaign ID’s for tracking purposes. It may also be the case that purchasing the service comes with a default configuration that can subsequently be tweaked by the adversary.
In the full ASERT Threat Intelligence Brief, we leverage these groupings to provide further insight into the specific domains targeted by each group. Specifically, for each group of project ID’s, the full ASERT brief provides a high level geographical view of the sites being targeted by webinjects, followed by a list of the target domains and the corresponding number of webinjects for that domain.
As resources permit, ASERT can provide targeted customers with details concerning the precise injection points and content to inject for each target URL. Targeted organizations seeking additional insight are encouraged to contact Arbor Networks for further collaboration.
As a result of sinkholing numerous Neverquest Command & Control domains, ASERT has obtained insight into a sample set of compromised machines reporting back to the C2 domain(s). Each point of compromise, represented by a unique IP address may be the result of a trigger URL, a trigger string, or a webinject target URL being present in the victim environment which caused data to be POSTed to the C2 servers. While DHCP churn and mobility are going to provide for variability in the accuracy and confidence of these maps, monitoring reveals that approximately 64,500 unique IP addresses contacted our Neverquest sinkholes during the period of March 1 – March 26, 2015.
Further analysis is required in order to correlate victim locations with Neverquest webinject targets.
As expected, major population centers display a high number of compromises in the US and elsewhere around the world. While many population centers are hit hard, the UK appears to have been hit very hard.
In the Asia Pacific region, Japan shows substantial compromise activity, with a smaller amount of victims appearing in South Korea.
Trigger URL Frequency
Recall that when Neverquest detects a trigger URL in a POST request, it will forward a copy of the posted data to a C2. As of March 25th, we have observed 153 unique trigger URLs in Neverquest configurations. Of the 1,066,608 POST requests picked up by our sinkhole, we have observed 60 of these 153 trigger URL’s. The following table lists, by count, the current top 25 trigger URL’s posting data to our sinkhole.
Importantly, note how Neverquest is hijacking more than communications with targeted financial institutions. From above, we see that it also exfiltrates email being posted to mail.yahoo or mail.google.com.
Based on a sample of available data, C2’s are scattered all around the world, with a higher concentration in various European countries and Ukraine. These plots are only a representative sample of C2 activity and should not be considered to be comprehensive.
Recent Advances in Threat Construction: Tor2Web Indicators
Recent samples of Neverquest contain code designed to connect to hidden tor servers via the tor2web.org site in a manner similar to the tactic used by the Chanitor downloader malware, which is using tor2web for Command & Control (C2) purposes. Neverquest variants are downloading digitally signed updated C2 lists stored within favicon.ico files that appear legitimate but have been modified with the use of steganography. While the first tor2web domains appeared inside Neverquest malware samples by at least December 27, 2014, Neverquest has only been observed in our sample set obtaining these updates over the network since at least March 12, 2015. A complete list of C2 indicators as of March 27th, including onion domains is included in the full ASERT Threat Intelligence Brief.
Visual Indicators of Compromise
In some cases, attackers may define a webinject that produces a visual indicator of compromise. Past research suggests that attackers have spent a lot of time working on the webinjects in order to make them functional and effective. Bypassing the average user’s suspicions is an important goal for the attackers, yet in some cases users may notice something amiss, especially if the financial institution has alerted their users of any visual or behavioral changes that can indicate a problem.
The attackers may attempt to reassure the victim by explaining that the visual changes are due to extra security measures being implemented by the financial institution for the customer’s protection. The attacker may request a secondary authentication code in an attempt to target high value accounts using multifactor authentication methods. If the end user has already successfully authenticated and a secondary authentication factor is not necessary, the message can be used as a stalling tactic, allowing criminals enough time to hijack the user’s session. Stalling tactics can include asking a user for an authentication code from a device the user does not possess, validation of security parameters, or the site being unavailable for maintenance.
Injections may often contain errors such as requesting a password in three places on the same form. The victim is often asked for information the bank should already know such as the user’s name, or the victim’s work, mobile, and home phone numbers. The attackers sometimes leave accidental artifacts in their injections. In one example, a static user id was pre-populated into an injection field.
Neverquest threat actors are keeping busy. New campaigns are coming on-line frequently that are aimed at a wide variety of targets. Additionally, ongoing development has been observed. If recent development trends observed by ASERT continue, we can expect approximately one new build per month and somewhere between ten and twenty new project ID’s although these numbers are only estimates and could vary greatly depending upon the ongoing success of these attack campaigns.
As an example of the velocity of this threat, we have observed various additions within a sample monitoring window (March 9 – March 27, 2015) that are worthy of note. Ten new project ID’s have been observed, each one representing a new criminal campaign aimed at a variety of targets. Additionally, we observed the following changes in other malware campaign activity:
Neverquest is a rapidly evolving malware family that has borrowed malicious code and techniques from a variety of other malware with the intention to provide a best-of-breed cybercrime platform. One or more criminal threat actors utilize the malware for the purposes of building botnets to facilitating banking fraud and the use or sale of various credentials through a variety of means. These means include credential theft, proxying through victim machines, HTTP transaction data theft, and injecting malicious content (webinjects) into authorized transactions between the victim machine and a target site. Campaigns are ongoing, as part of a long-running and evolving cybercriminal operation that has been active over the course of several years. In order to thwart analysis and increase compromise incidence and longevity, threat actors behind the malware are taking steps to obfuscate and encrypt both malware operations and aspects of the back-end infrastructure. Additionally, new development on the code is taking place at least monthly. New Command & Control nodes are appearing at a rapid rate, along with new project ID’s, new samples, and new webinject configurations. Additionally, sinkhole data obtained from sinkholing one or more expired C2 domains indicates that a substantial volume of compromised machines continue to fuel the Neverquest cybercrime apparatus and the underground economy. Many organizations have been targeted, therefore increased and ongoing awareness of this threat as it evolves is crucial. Considering the rate of change observed during our monitoring periods, the threat actors are not standing still and have invested substantial resources into planning, development, back-end criminal infrastructure and associated operations that enable attack campaigns to continue at a rapid pace. Detection across all points in the cyber-kill chain is recommended in order to minimize losses and more rapidly detect malicious activity as financial customers and others continue to be targeted.
 On a daily basis, ASERT gathers well over 100,000 malware samples from ATLAS and other sources. With a focus on Advanced Persistent Threats, geo-political campaigns, financial fraud and DDoS, the malware samples are processed through an automated threat analysis system that applies advanced research techniques to classify malware and extract indicators that can be used by customers to detect and mitigate attacks.