Tuesday, October 1, 2013

U.S. Bank Attack from Shylock Trojan!

The crafty banking Trojan known as Shylock has returned.  The Shylock Trojan is attacking thousands of customers and 24 American banks.

The Shylock or Caphaw Trojan is a financial malware that functions using stealth tactics both on and off the wire.

Shylock  has incredible defense mechanisms that enable it to restore itself after and during a shutdown.
The malware is outlined as “one of the few that can steal money while a user is accessing his bank account,” by ESET Security Intelligence Team Lead, Aleksandr Matroosov.  Aleksandr Matrosov published a detailed analysis about malware earlier this year.

The Shylock has an autoload functionality to repeatedly steal money when a user is actively accessing their bank account.  The user can not recognize the money is being stolen.

The threat uses techniques for bypassing security software and evading automated malware processing.

Zscaler stated in a blog post, “Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users’ bank accounts since 2011.  You may recognize this threat from research done by WeLiveSecurity earlier this year in regards to this threat targeting EU Banking sites.  This time would appear to be no different.  So far, we have tied this threat to monitoring it’s victims for login credentials to 24 financial institutions.”

Zscaler reported an increase in malware detections this week, targeting 24 U.S. banks including Chase Manhattan, Bank of America, Citi, and Wells Fargo.  The first detected malware in 2011 targeted European customers in the United Kingdon, Italy, Denmark and Turkey.

The ESET Virus Radar is showing an increase of infections in the North America Region.  This malware is difficult to detect and is hard to stop when it’s ability to restore itself and an antvirus cleaning procedure is carried out.

The infection vector is unknown, but researchers are pretty sure the malware is served by an exploit kit that uses Java’s vulnerabilities and targets the computer.


A Domain Generation Algorithm represents an algorithm seen in  numerous families of malware.  This generates a large number of quasi-random domain names.

The nasty Trojan avoids detection by injecting itself into legitimate processes like explorer.exe while concealing its phone home traffic through the a Generated Domain Algorithm creating address using Self Signed SSL certificates.

The Self Signed SSL certificate is an identity certificate that certifies to an organization that they are the actual signers.  So basically forging its way through the system.

ThreatLabZ is monitoring the Internet for this threat and its multiplication.  The lab is also dissecting the threat in order to obtain more information about its attack,approach, scope and impact.
What do you think about the banks being compromised? Share you comments below!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

Can’t keep a bad man down: “Shylock” Trojan returns to attack U.S. banks – WeLiveSecurity
September 20, 2013
New wave of Shylock Trojan targets bank customers – Net Security
September 19, 2013
A New Wave of WIN32/CAPHAW Attacks – A ThreatLabZ Analysis -ZScaler

No comments:

Post a Comment