skip to Main Content

Virus Alert: Banking Trojan ‘Neverquest’

big-virusIf you thought social media was scary enough for banks and financial institutions, it just got a lot worse.


What is Neverquest?

Neverquest, a relatively new banking Trojan that spreads itself via social media, email links, and file transfer protocols, is replicating itself through the ranks of unsuspecting link clickers. This nasty Trojan targets online banking and financial transactions with the goal of wiping accounts clean (or playing your money in the stock market). It’s capable of logging keystrokes, grabbing screen captures, controlling your computer through remote software, stealing information with the man-in-the-browser (MitB) technique, and snagging digital certificates. Recently, security firms have noticed that Neverquest is also stealing log in information related to social networking sites and popular share sites, like and Twitter. Neverquest is part of the Snifula family of threats, which was first identified in 2006.


How does it work?

Like most types of malware, Neverquest infects the machines of naïve clickers—i.e., people who are willing to click on any and all email links or links on social media. Once the machine is infected, Neverquest leverages a database of targeted terms (like “account balance” or “funds available”) and waits for the infected victim to visit a site the Trojan has deemed as a financial site.


Once the victim visits a site that Neverquest has identified as a financial site, the Trojan activates itself and begins to transmit the victim’s user log in and password (via keystroke logging) back to a command and control server. Attackers then log into the victim’s account via virtual network computing (essentially through shared desktop)—to the banks, this action looks exactly the same as it would if the victim were logging into their account.


In short, the attacker is using the victim’s own computer to log onto the bank account. Because the attacker is using shared desktop to access the victim’s account, the attack is virtually impossible for banks to differentiate from a legitimate log in.


Even worse, attackers often funnel the cash they steal from victims through several victim accounts before draining an account altogether. This makes the theft harder to trace and the attackers harder to find.


What can you do?

  • If you aren’t expecting an email, never, ever click on links or download attachments. The same is true if you know the sender but aren’t expecting an email with links or attachments—when in doubt, pick up the phone and ask if they meant to send you the email BEFORE clicking or downloading.
  • Links on social media can spread malware, so be careful what you click here, too. Recent examples of what not to click include a fake video of the MH17 plane crash and a video of a huge snake eating a man.
  • It appears as though the Trojan primarily affects users browsing with Internet Explorer or Mozilla Firefox, and using alternative browsers may minimize your threat.


If you have any questions about this virus or if you fear you have been infected, please contact your Technology Manager immediately, or give us a call at 913-428-4200.

Leave a Reply

Back To Top