Suspected Hacker Behind the NeverQuest Banking Trojan Arrested in Spain

In 2013, researchers from Kaspersky Lab’s SecureList published “Online Banking Faces a New Threat” and explained the threat NeverQuest, a banking trojan, posed to the public. Three-and-a-half years after a hacker listed the malware on a forum, Spain’s Guardia Civil announced that officers arrested NeverQuest’s creator. The press release revealed that the FBI requested Interpol issue an arrest warrant for the 32-year-old Russian national, Stanislav Lisov.
The NeverQuest banking trojan “could be used to attack ‘about 100 banks’ by seeding add-on code onto bank websites,” the NeverQuest forum post explained. NeverQuest appeared on a secret Russian forum known for data dumps and many of the trojans in the wild today. When the infected user visited one of the services the malware identified—using Internet Explorer or Firefox—the NeverQuest installed malicious JavaScripts. Once the scripts deployed, NeverQuest manipulated the connection between the victim and the particular website visited. The malware sent stolen bank credentials to hackers across the globe—to the amount of $5,000,000, according to the Guardia Civil.

Upon returning a rental car to an airport rental location on January 13, the Guardia Civil arrested Stanislav Lisov. According to the announcement, “the Civil Escape Team of the Central Operative Unit (UCO) of the Civil Guard who had detected their presence in Catalonia, after Several days of surveillance intercepted him when he intended to leave Spain on a flight bound for another EU country.” BleepingComputer wrote that the couple planned to visit friends in Lyon, France was working with dark web.
The Guardia Civil explained the Lisov arrest:
Lisov was considered a major operator of NeverQuest, having been charged among other illicit, of the creation and administration of a network of computers infected with NeverQuest using the leasing and acquisition of servers of computers used to administer that system dark web security.
A thorough investigation of the servers operated by Lisov in France and Germany revealed databases with stolen lists of information from accounts of financial institutions, with data indicating, among other things, account balances. One of the servers leased by Lisov contained files with millions of login credentials, including usernames, passwords, and security questions and answers, for the bank and financial website account