Incident Response, Malware, TDR

Police, security firms abate Shylock malware threat

International law enforcement and a number of organizations in the private sector have made a concerted effort to stop the spread the Shylock banking trojan.

On Thursday, the UK's National Crime Agency (NCA) announced that it, along with the FBI, Europol, Dell SecureWorks, Kaspersky Lab, and other organizations, had “jointly addressed” the threat through the seizure of criminals' command-and-control servers. In addition, the groups took over domains used by Shylock perpetrators.

NCA estimated that Shylock had infected at least 30,000 machines running Windows worldwide.

Initially discovered in February 2011 by security firm Trusteer, Shylock delivers web injects into victims' browsers and logs keystrokes. The malware is concealed in endpoint device memory files and rewrites Windows processes. Shylock, which also goes by the name “Caphaw,” deletes its installation files, runs solely in memory, and begins the process again once the infected machine reboots.

Most recently, the banking trojan was named one of the most active banking trojans in 2013 by Dell SecureWorks Counter Threat Unit (CTU). A variant of the malware also impacted visitors of, in an incident last month, where users were redirected to the trojan.

While Shylock primarily targeted users in the UK,  banking customers in the U.S. were also sought after for their credentials.

On Thursday, Jason Milletary, technical director for malware analysis at Dell SecureWorks CTU, told in an interview, that Shylock was self-spreading malware, often using Skype or local shares and removable drives, to make its way to new victims.

Because the malware is capable of injecting chat forms into web pages, it was of particular use to fraudsters aiming to bypass multiple forms of authentication to carry out fraudulent transactions, he added.

[Attackers] try to trick the users into believing they are communicating with a bank [representative] when, in fact, they are communicating with the criminal,” Milletary said. “They were getting information they needed to impersonate the victim [when] logging in.”

In its announcement, NCA advised users, who do not automatically receive Windows updates, to go to Microsoft's website for further information on scanning for and, if necessary, removing the malware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.