Hacker gets 4 years in jail for NeverQuest banking malware

A Russian hacker has been sentenced to four years in US prison for using the NeverQuest banking Trojan to infect the computers of unwitting victims, steal their login information for online banking accounts, and use it to wipe out their accounts.

The US Attorney’s Office for the Southern District of New York announced the sentencing of Stanislav Vitaliyevich Lisov on Thursday.

According to the Justice Department (DOJ), NeverQuest has been used by cybermuggers to try to weasel millions of dollars out of victims’ bank accounts.

Nasty and complex

It’s a nasty piece of work. Researchers have determined that NeverQuest’s origins lie in an evolving threat family called Vawtrack, also known as Snifula, Catch or Grabnew.

Once NeverQuest slips onto a victim’s computer, it wakes up when the system logs onto an online banking website. Then, it transfers the victim’s login credentials, including their username and password, back to a command and control server. That lets the malware’s administrators remotely control a victim’s computer and log into their financial accounts, transfer money to accounts that the crooks control, change the login credentials, write online checks, and purchase goodies from online vendors at their victims’ expense.

According to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), the Trojan installs what’s called a Virtual Network Computing (VNC) server that disguises malicious activity, escaping detection by making it look like that activity is coming from the victim’s own computer.

NeverQuest can replicate and spread with the help of FTP servers, the Neutrino Exploit Kit, and social networking sites. It uses web-injection to evade detection by antivirus software and can slip by two-factor authentication (2FA). The malware can also launch man-in-the-middle and man-in-the-browser attacks; harvest email, FTP, and stored browser credentials; and can capture video and screenshots.

Lisov: NeverQuest’s daddy

The DOJ says that between June 2012 and January 2015, Lisov worked on “key aspects” of creating and administering a botnet based on computers infected by this malicious NeverQuest beast.

Lisov’s duties included maintaining infrastructure for the criminal enterprise, including by renting and paying for the servers used to manage the botnet. Those servers were stuffed with stolen login credentials – approximately 1.7 million of them, including usernames, passwords, and security questions and answers to get into their bank and other financial accounts.

Lisov was arrested in Spain in January 2017. He was extradited to the US a year later, and in February 2019, he pleaded guilty to one count of conspiracy to commit computer hacking.

At the time of Lisov’s guilty plea, US Attorney Geoffrey S. Berman called Lisov’s crimes “audacious”:

As he admitted today, Stanislav Vitaliyevich Lisov used malware to infect victims’ computers, obtain their login credentials for online banking accounts, and steal money out of their accounts.

This type of cybercrime extends across borders, poses a malicious threat to personal privacy, and causes widespread financial harm. For his audacious crime, this Russian hacker now faces justice in an American court.

It’s good news that one of these bank robbers is off the streets. But this is an ongoing battle, fought against professionally run criminal syndicates, so don’t expect the FBI, Europol or any other crime-fighting organization to be able to rest anytime soon.