UK Takedown Disrupts Shylock BotnetSophisticated Financial Trojan Targets Banking Customers
British police have worked with an international consortium of law enforcement agencies and information security firms to disrupt financial malware known as Shylock used to infect more than 60,000 PCs and steal millions of dollars.
See Also: Attivo Deception MITRE Shield Mapping
The U.K.'s National Crime Agency says the operation has involved seizing command-and-control servers used to control infected - or zombie - PCs, as well as botnet-related domain names. But no related arrests were announced.
Authorities say Shylock has infected tens of thousands of Windows PCs worldwide. "Intelligence suggests that Shylock has to date targeted the UK more than any other country, although the suspected developers are based elsewhere," the NCA says in a statement. "Victims are typically infected by clicking on malicious links and then unwittingly downloading the malware. Shylock will then seek to access funds held in business or personal accounts, and transfer them to the criminal controllers."
Advanced Trojan Capabilities
The Shylock malware is named for Shakespeare's fictional "Merchant of Venice" character, who's perhaps best known for seeking a "pound of flesh" as security for a money-lending deal. Thus it's fitting - thematically speaking - that the malware was "designed to intercept online banking transactions and steal victims' credentials," says security vendor Symantec. In fact, the malware "is more advanced than many other financial Trojans," the company says.
For starters, the malware uses man-in-the-browser and social engineering attack techniques to steal banking credentials and disguise fraudulent transactions from account owners, Symantec says. For example, the malware includes the ability to trick users into authorizing transactions, using two-factor authentication credentials issued by their bank. When conducting fraudulent transactions, the malware may open a window claiming that the banking website is conducting a security check, to prevent users from seeing or stopping the fraud.
The total number of PCs infected by Shylock - just in the past year - is more than 60,000, Symantec says. Furthermore, the Shylock gang has "stolen several million dollars from victims" over the past three years. "The gang behind it appears to be based in Russia or Eastern Europe and its main target is customers of UK banks," the security firm says. "It has also hit financial institutions in a number of other European countries and the U.S." According to Symantec, about 16 percent of all infections seen in the last year targeted U.S. banking customers.
But the main focus of the Shylock gang's attacks has been British PC users. "Some studies have suggested that 61 percent of websites compromised by the malware were U.K.-based, and that three quarters of the banks being targeted were British," says independent security analyst Graham Cluley. "Recently, however, the Shylock gang has widened its scope - stealing information from users in other countries, including Germany, Denmark, Turkey and Italy, and inflicting financial damage on both individuals and small businesses. The Shylock malware is extremely sophisticated and has proven to have - until now - a resilient infrastructure that was hard for the authorities to disrupt."
The NCA coordinated the takedown effort with the FBI and Europol, as well as law enforcement agencies in France, Germany, the Netherlands, Poland and Turkey. British signals intelligence agency GCHQ, as well as defense contractor BAE Systems Applied Intelligence, U.S. security firm Dell SecureWorks and Russian security vendor Kaspersky Lab also assisted with the takedown.
"This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime impacting the U.K.," says Andy Archibald, deputy director of the NCA's National Cyber Crime Unit. "We continue to urge everybody to ensure their operating systems and security software are up to date."
In that respect, the takedown echoes the May 30 cross-border law enforcement effort known as Operation Tovar, which likewise saw the NCA working with Europol and the FBI, in that case to combat Gameover Zeus malware and Cryptolocker ransomware.
As part of that operation, police also issued public warnings, urging consumers to scan their PCs for the presence of the malicious software and eradicate it before attackers were able to regain control of the malicious infrastructure. But as of July 10, authorities reported still being able to keep the seized Gameover Zeus and Cryptolocker infrastructure locked down. However, a new version of Gameover Zeus has emerged (see Gameover Zeus Trojan Returns).