NeverQuest Banking Trojan Co-Creator Sentenced to 4 YearsStanislov Lisov of Russia Pleaded Guilty to Federal Hacking Charge
Stanislov Lisov, a Russian hacker who helped create the NeverQuest banking Trojan, which was capable of extracting millions of dollars from victims' financial accounts, has been sentenced to four years in federal prison.
Lisov, 34, who also went by the handles "Black" and "Blackf," pleaded guilty in February to one count of conspiracy to commit computer intrusion, according to the U.S. Department of Justice.
Federal prosecutors had sought a five-year sentence, but Judge Valerie E. Caproni sentenced Lisov to 48 months in prison along with three years of supervised release, the forfeiture of $50,000 and paying restitution of $481,000 to victims, according to sentencing documents.
Arkady Bukh, a Brooklyn-based attorney representing Lisov, tells Information Security Media Group that in arguing for a lighter sentence, he told the judge that his client had accepted responsibility and acknowledged he misused his computer science knowledge as part of this criminal enterprise. Bukh also says he argued that Lisov's time in a Spanish jail while he awaited extradition should count toward his sentence.
Between June 2012 and January 2015, Lisov and other co-conspirators created and deployed the NeverQuest banking Trojan in an attempt to steal over $4.4 million, the court documents show. Prosecutors contend that Lisov stole $885,000 from several victims during this time and also sold victims' login information and other personal identifying information on criminal black market websites.
"Lisov was responsible for key aspects of the creation and administration of a network of computers, or botnet, infected by NeverQuest," according to the sentencing documents. "Lisov maintained infrastructure to further the scheme, including leasing computer servers used to administer the NeverQuest botnet."
NeverQuest Widely Used
After Lisov and other members of the criminal group created NeverQuest, it quickly became a popular tool for infecting devices, spreading through social media websites, phishing emails and file transfers, according to the sentencing documents.
In most cases, once NeverQuest was planted on a victim's device, the Trojan would steal the login credentials, such as username and password, when the victim attempted to log into a banking website.
"If a user visited a financial institution website that NeverQuest already had in its database, NeverQuest would surreptitiously insert computer code into the webpage through a 'webpage injection,' so that any data entered by a user into the webpage would be communicated back to a computer server (a command-and-control server) used to administer the NeverQuest malware," according to the sentencing documents .
NeverQuest also had the ability to add new banking and financial websites to its database, prosecutors say. Once the gang had control over the account information, it could log into the victim’s online accounts, transfer money to other accounts, change login credentials, write online checks and make online purchases, the sentencing documents note.
Listov controlled the infrastructure and the botnet of infected devices, according to court documents. He also maintained a list of 1.7 million stolen credentials that included usernames and passwords as well as security questions.
After an FBI investigation, Listov was indicted in 2017 on charges of conspiracy to commit computer intrusion and conspiracy to commit wire fraud. Lisov was later arrested in Spain in 2017 and then extradited to the U.S. in January 2018 (see: Spanish Court Approves Suspected Hacker's Extradition).
NeverQuest’s Lasting Impact
Some sescurity researchers say that cybercriminals are still using the NeverQuest code to create new types of Trojans. CrowdStrike says that the gang behind NeverQuest evolved into a group called Lunar Spider gang that developed a similar Trojan called BokBot (see: Repeat Trick: Malware-Wielding Criminals Collaborate).
Limor Kessem, executive security adviser at IBM, notes in a recent blog post that the original NeverQuest gang scaled back its operations immediately following Lisov's arrest two years ago.
"IBM X-Force data shows that in 2015, NeverQuest was second only to the Dyre Trojan, which topped the financial malware charts that year," Kessen says. "The minute NeverQuest’s dubious collaborators saw law enforcement reach one of their trusted parties, they realized the FBI was already too close for comfort and dropped it like it was hot: Campaigns delivering the NeverQuest Trojan dropped considerably on Jan. 19, 2017, just a few days after Lisov’s arrest in Spain."
(Managing Editor Scott Ferguson contributed to this report.)