{
	"id": "e60b2f09-b1ec-4b3f-9a39-1c6c7bb9621f",
	"created_at": "2026-04-06T03:37:43.007243Z",
	"updated_at": "2026-04-10T03:30:33.621581Z",
	"deleted_at": null,
	"sha1_hash": "2887638b58ec3efca202a1c95b8e89e282dbd8b6",
	"title": "Neverquest Trojan: Built to Steal from Hundreds of Banks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38355,
	"plain_text": "Neverquest Trojan: Built to Steal from Hundreds of Banks\r\nBy Serge Malenkovich\r\nPublished: 2013-11-29 · Archived: 2026-04-06 02:52:55 UTC\r\nNeverquest is a new banking trojan that spreads itself via social media, email and file transfer protocols. It\r\npossesses the capacity to recognize hundreds of online banking and other financial sites. When an infected user\r\nattempts to login to one of the sites the trojan reacts by activating itself and pilfering its victim’s credentials.\r\nNeverquest then relays the stolen credentials back to a command and control server. Once there, the attackers can\r\nuse the credentials to log into affected accounts via virtual network computing (VNC). VNC is essentially a shared\r\ndesktop system, so the criminals basically use the victim’s computer to log into the victim’s online bank and\r\nperform the theft. It makes it quite impossible for the bank to distinguish legitimate users from criminals.\r\nKaspersky Lab announced earlier this week that the trojan has infected thousands of user-machines but – as\r\nmalware expert Sergey Golovanov explains – it has the potential to do much more damage throughout the holiday\r\nseason because of its efficient and versatile self-replication features. In fact, back in 2009, the Bredolab malware\r\nused the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the\r\nthird most widely distributed piece of malware on the Internet.\r\n“When a user on an infected machine visits one of the sites on the list, the malware controls the browser’s\r\nconnection with the server,” Golovanov explained in an analysis on Securelist. “Malicious users can obtain\r\nusernames and passwords entered by the user, and modify webpage content. All of the data entered by the user\r\nwill be entered onto the modified webpage and transmitted to malicious users.”\r\nOnce the attacker has control of a victim’s account, he can empty it completely into an account under his control.\r\nIn many cases, however, Golovanov notes that the attackers are moving the stolen money through a series of\r\nvictim accounts. In this way, they dump money from one victim’s account into another and repeat this process\r\nseveral times before directly obtaining the money themselves in order to make their activities difficult to trace.\r\nAttackers dump money from one victim’s account into another and repeat this process several times before\r\ndirectly obtaining the money themselves in order to make their activities difficult to trace.\r\nNeverquest is for sale on at least one underground forum. It only seems to affect users browsing with Internet\r\nExplorer and Mozilla Firefox, but Neverquest’s creators boast that it can be modified to attack “any bank in any\r\ncountry.”\r\nThe malware also contains a feature that searches for specific banking-related keywords while the infected user\r\nsurfs the web. If a user visits a site that includes these keywords, the trojan activates itself and begins intercepting\r\nuser communications and sending them back to the attackers. If the site the victim is visiting ends up being a\r\nbank, the attackers add this new site to the list of sites that automatically trigger Neverquest. This update is then\r\nsent along through Neverquest’s command and control infrastructure to all other infected machines.\r\nhttps://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/\r\nPage 1 of 2\n\nFidelity.com, the website of one of the world’s largest mutual fund investment firms, appears to be one of the\r\ntrojan’s top targets according to the report.\r\n“Its website offers clients a long list of ways to manage their finances online,” Golovanov wrote on Securelist.\r\n“This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the\r\nstock market, using the accounts and the money of Neverquest victims.”\r\nNeverquest is also designed to start harvesting data when an infected user visits any number of sites not related to\r\nfinance, including Google, Yahoo, Amazon AWS, Facebook, Twitter, Skype and many more.\r\n“The weeks prior to the Christmas and New Year holidays are traditionally a period of high malicious user\r\nactivity,” Golovanov wrote. “As early as November, Kaspersky Lab noted instances where posts were made in\r\nhacker forums about buying and selling databases to access bank accounts and other documents used to open and\r\nmanage the accounts to which stolen funds are sent. We can expect to see mass Neverquest attacks towards the\r\nend of the year, which could ultimately lead to more users becoming the victims of online cash theft.”\r\nHe continues:\r\n“Protection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated\r\nsolution that secures transactions. In particular, the solution must be able to control a running browser process and\r\nprevent any manipulation by other applications.” Luckily, Kaspersky Lab has such technology called Safe Money.\r\nAs a part of Kaspersky Internet Security and Kaspersky PURE, it protects user’s interactiona with financial sites,\r\npaying specific attention to the security of the encrypted connection and the absence of third-party control over\r\nweb browsers.\r\nSource: https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/\r\nhttps://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/"
	],
	"report_names": [
		"3247"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775446663,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2887638b58ec3efca202a1c95b8e89e282dbd8b6.pdf",
		"text": "https://archive.orkl.eu/2887638b58ec3efca202a1c95b8e89e282dbd8b6.txt",
		"img": "https://archive.orkl.eu/2887638b58ec3efca202a1c95b8e89e282dbd8b6.jpg"
	}
}