An international law enforcement operation has struck a major blow against the gang behind Shylock, one of the world’s most dangerous financial Trojans. The takedown, which was led by the UK National Crime Agency, resulted in the seizure of a command and control (C&C) servers, in addition to domains that Shylock uses for communication between infected computers.
Trojan.Shylock is designed to intercept online banking transactions and steal victims’ credentials. The gang behind it appears to be based in Russia or Eastern Europe and its main target is customers of UK banks. It has also hit financial institutions in a number of other European countries and the US. Shylock is more advanced than many other financial Trojans:
- The attackers behind Shylock have an advanced, targeted distribution network that allows them to infect victims in selected countries through multiple channels;
- The attackers have a professional attitude and Shylock has been continually updated in response to security countermeasures employed by targeted banks;
- The malware is modular in nature, which allows the attackers to easily extend or change its functionality;
- The Shylock Trojan is privately owned and not for sale on the underground market.
Symantec estimates that the gang behind Shylock has stolen several million dollars from victims over the past three years and over 60,000 infections were detected in the past year.
This takedown operation is the latest in a series of stings against major cybercriminal gangs and comes hot on the heels of police actions against the Gameover Zeus network and the attackers behind Blackshades RAT.
Shylock first appeared in 2011 and infections grew rapidly once the malware was perfected. Activity around the Trojan was detected as early as July 2011, although at that time it was distributed in very small numbers. It was tightly controlled and still in early stages of development. By the end of 2011 distribution had begun to accelerate.
There was a marked increase in infection counts throughout 2012 and Shylock maintained its momentum in 2013 and 2014, with increased distribution and a heavy focus on targeting customers of financial institutions in the UK and the US.
Figure 1. Shylock distribution June 2013 – May 2014
Shylock is one of the most heavily distributed financial Trojans in recent years. Despite high infection numbers, the attackers have maintained a very narrow geographical focus. The UK is by far its largest target. The country has a large banking customer base, a high online banking adoption rate, and a high number of wealthy citizens. The UK also has a relatively small number of banks relative to its size. Since the attackers have to tailor the malware to perform attacks on individual banks, this makes the UK market doubly attractive.
Figure 2. Shylock countries targeted June 2013 – May 2014
Shylock has been under continuous and rapid development and its authors use a range of distribution methods. The malware is typically distributed via compromised legitimate websites and email. “Malvertising” and fake browser updates are also employed by the group to spread Shylock.
The main source of infections is through exploit kits and Shylock has been observed to be distributed by five different exploit kits over the past year: Blackhole, Cool, Magnitude, Nuclear, and Styx. Current exploit kits allow attackers to distribute malware on a highly localized basis. This has facilitated the gang’s narrow focus on a small number of countries, in particular the UK.
Infected spam emails containing Shylock masquerade as PDF documents and are usually engineered to appear like an important business document. The attachment names are identifiable as they follow the following format:
- 28-11 brevi statement_[DIGITS].pdf.exe
- copy #2 of invoice_[DIGITS].pdf.exe
- servidor hpinvoice_[DIGITS].pdf.exe
How Shylock works
Shylock has targeted most of the major financial institutions in the UK and it is capable of using advanced “Man-in-the-Browser” (MITB) techniques to steal a victim’s credentials and perform fraudulent transactions. Attackers gain control of the victim’s browser by exploiting security vulnerabilities to modify the web pages displayed to the victim. Shylock is also capable of defeating two-factor authentication security mechanisms employed as counter measures at some of these banks.
Shylock employs a technique termed automated-transaction-service (ATS) which can automatically initiate fraudulent transactions in the background. Its capabilities include:
- Grabbing information about user accounts and account balances
- Performing fraudulent transactions in the background
- Social engineering attacks to trick the user into authenticating a transaction with a Secure Key
- Hiding entries in transaction records and modifying balances
- Adjusting percentages and values of available funds to evade some fraud detection logic
When a victim logs into their bank on an infected machine, their credentials are sent to the bank and the attackers. This allows the attackers to assume control of the account and initiate fraudulent transactions. In order to distract the user, a number of diversion tactics are used by the attackers. For example, the diversion tactic used against customers of one is a window pretending to perform additional security checks on the computer.
Figure 3. Error message displayed during a fraudulent transaction attempt
If the user becomes impatient and attempts to navigate away from this page another socially engineered message is presented to them.
Figure 4. Pop-up error message displayed during a fraudulent transaction attempt
Once the fraudulent transaction has been setup, the user is finally prompted to authorize the fraudulent transaction by supplying their six digit security code into attacker supplied fields. This will lure the victim into inadvertently authorizing a fraudulent transaction.
Figure 5. Attackers lure victim into supplying a security code
Once the attackers have successfully executed a transaction, they are capable of further socially engineering the user into providing additional transaction authorizations. Alternatively, Shylock can display a notification which will prevent the user from using their online banking as a delaying tactic to prevent them from noticing any suspicious activity.
A professional cybercrime gang
The Shylock gang is a professional organization which appears to operate out of Eastern Europe. The platform is almost certainly developed in Russia and the developers appear to work a typical nine to five day, from Monday to Friday, indicating that this is a full-time operation. The vast majority of binary compilations occurred on weekdays.
The gang behind Shylock continuously develop new features, react quickly to online banking countermeasures, and use advanced distribution channels to infect the end user. Shylock is without a doubt a finely tuned and profitable enterprise that has continued to grow in 2014. Combating a threat like Shylock requires the cross border cooperation between private industry and law enforcement. Symantec is committed to sharing information with international law enforcement and private industry partners to this end.
Symantec customers are already protected against Shylock. Symantec protects users against Shylock under the following detection names.
Intrusion Prevention Signatures