Neverquest is an online banking trojan that steals login credentials from victims. Researchers have determined that Neverquest is part of the evolving threat family "Snifula," first seen in 2006. This trojan provides attackers with control of the infected device through a Virtual Network Computing (VNC) server, making it appear that the malicious activity is actually coming from the victim’s computer, a method used to avoid detection. It steals credentials by modifying content on banking websites viewed through certain web browsers and injecting fraudulent forms into the banking websites. Neverquest is an evolved, complex piece of malware as it possesses the ability to replicate and distribute itself with the help of FTP servers, the Neutrino Exploit Kit, and social networking websites. It maintains persistence by using "recurring runkey" to rewrite entries into the Windows registry and "watchdog" which reproduces terminated processes. Neverquest also uses a web-injection process to evade detection by antivirus software and bypass security measures such as two-factor authentication. Lastly, Neverquest can perform man-in-the-middle and man-in-the-browser attacks, harvest email, FTP, and stored browser credentials, and has video and screenshot capture capabilities. In 2015, a Neverquest variant known as “Vawtrak” targeted more than 15 Canadian financial institutions, spread through drive-by downloads. Heimdal Security identified 15,000 infected computers. 


  • October 2015: Vawtrak was first discovered downloading TinyLoader and AbbadonPOS malware onto victim machines. (Proofpoint)
  • April 2016: FIN6 cybercriminal group used the Vawtrak trojan, also referred to as "Grabnew", as the primary malware to infect victims. (ThreatPost)
  • January 2017: Spanish police arrest Stanislav Lisov, the suspect behind the NeverQuest banking trojan. (BleepingComputer)

Technical Details

  • Symantec provides technical details on Neverquest trojan and Snifula threat family, available here.

Image Source: Kaspersky.