Zscaler’s ThreatLabZ researchers found in a forensic analysis that the threat, which has been targeting users' bank accounts since 2011, has stepped up its attacks on major European banks, with the most activity observed in the UK, Italy, Denmark and Turkey.
Named Shylock initially because of random excerpts from Shakespeare’s Merchant of Venice included in its binary, the Caphaw/Shylock trojan is a financial malware attack that functions similarly to the Carberp, Ranbyus, and Tinba threats, and it uses stealth tactics to infiltrate its victims. With Shylock, however, cybercriminals have developed customized financial fraud capabilities for the malware, including an improved methodology for injecting code into additional browser processes to take control of the victim's computer, and an improved evasion technique to prevent malware scanners from detecting its presence.
One nasty feature of the malware is a sophisticated watchdog service that allows it to resist removal attempts and restore operations.
While Zscaler has been thus far unable to identify the initial infection vector for this round of attacks, researchers believe it is more than likely arriving as part of an exploit kit honing in on vulnerable versions of Java.
Once in, Caphaw avoids local detection by injecting itself into legitimate processes such as explorer.exe or iexplore.exe, while simultaneously obfuscating its phone home traffic through the use of Domain Generated Algorithm created addresses using Self Signed SSL certificates, Zscaler noted in a blog, which limits the ability of traditional network monitoring solution to dissect the packets on the wire for any malicious transactions.
Other stealth approaches are in effect when it comes to the command and control (CnC) server. “The large number of potential rendezvous points with randomized names makes it extremely difficult for investigators and law enforcement agencies to identify and take down the CnC infrastructure,” said the researchers. “Furthermore, by using encryption, it adds another layer of difficulty to the process of identifying and targeting the command and control assets.”
The firm found that several major banks' sites were actively being monitored by the infection primarily to seek out the victim's online banking credentials, including Bank of Scotland; Barclays Bank; First Direct; Santander Direkt Bank AG; First Citizens Bank; Bank of America; Bank of the West; Sovereign Bank; Co-operative Bank; Capital One; Chase Manhattan; Citi Private Bank; Comerica Bank; E*Trade Financial; Harris Bank; Intesa Sanpaolo; Regions Bank; SunTrust; Bank of Ireland Group Treasury; U.S. Bancorp; Banco Mercantil, S.A.; Varazdinska Banka; Wintrust Financial; and Wells Fargo Bank.