Major Bank Clients being Targeted with Trojan Shylock, Cautions Zscaler

According to Zscaler, the security company, cyber-criminals are targeting clients with accounts in 24 prominent banks and other financial institutions across the globe, using Trojan Caphaw, whose other name is Shylock, with the aim to filch banking details stored on victims' infected PCs.

Presently though it is not known what medium the infection spreads initially, however, security researchers nearly believe that an attack toolkit has been used to serve the malware, which exploits Java flaws existing inside programs of target PCs.

When loaded, Shylock on a PC, self-inserts inside genuine processes so it can eschew detection by security software.

Still one more tactic the criminals apply is utilizing a DGA (domain generation algorithm). It helps in creating numerous quasi-random domains, which act like C&C (command-and-control) systems that give instructions to the Trojan. The DGA benefits the attackers in that law enforcement bodies become potentially unable in stalling the C&C servers.

Moreover, to establish exchange of messages among the contaminated PCs as well as the C&C systems, Shylock takes help of SSL encrypted data.

Investigators Chris Mannon and Sachin Deodhar of Zscaler state that the encryption constrains conventional network monitoring programs from breaking down components of a transaction to detect any malevolent operation. Threatpost.com published this dated September 18, 2013. The researchers report that the majority of contaminations are taking place in Italy, UK, Turkey and Denmark.

Fascinatingly, Shylock does everything for survival and persistence on the target PC; As a result, it manages to know if it is on any virtual system as also if the host is Internet-connected. In case neither works, it'll not run. So it opens one registry of 'autorun' kind while enhances system processes for obstructing software from removing it. This way, it continues to persist, the investigators explain.

Notably, the first time Shylock got detected was during 2011 after which it reappeared earlier in 2013 hitting European banking clients. Now it has been attacking USA's 4 biggest bank customers namely Bank of America, Chase Manhattan Corporation, Wells Fargo and Citi Private Bank in addition to US Bancorp, Capital One, Bank of the West and others.

» SPAMfighter News - 9/28/2013