Shylock (a.k.a. The Merchant of Malice) is one of the most sophisticated banking Trojan horse programs presently occupying the financial fraud threat landscape. From its humble beginnings in 2011, it has seen increased infections in the United Kingdom, Italy, and the United States. This is consistent with the increased number of targeted financial institutions over that time period. Shylock is currently targeting over 60 financial institutions with the majority of them operating in the United Kingdom.
The main purpose of Shylock is to perform a man-in-the-browser (MITB) attack against a configured list of target organization websites. The attack is used to steal user credentials and apply social engineering tactics in order to convince the user to perform fraudulent transactions at the target institution.
Recently, Shylock has begun downloading and executing complementary modules in order to beef up its functionality. The following modules have been developed and are being downloaded by the threat.
- Archiver (compresses recorded video files before uploading them to remote servers)
- BackSocks (enables the compromised computer to act as a proxy server)
- DiskSpread (enables Shylock to spread over attached, non-fixed, drives)
- Ftpgrabber (enables the collection of saved passwords from a variety of applications)
- MsgSpread (enables Shylock to spread through Skype instant messages)
- VNC (provides the attacker with a remote desktop connection to the compromised computer)
The Trojan employs a robust infrastructure that allows for redundancy and load-balancing during periods of high traffic, whereby servers will redirect compromised computers to another server depending on the number of incoming connections.
The first level of servers belonging to this threat has been identified and can be categorized into the following three groups:
- Central command-and-control (C&C) servers (responsible for botnet control and maintenance)
- VNC and Backsocks servers (enable remote control during transactions)
Figure 1. Groups of servers utilized in Shylock’s infrastructure
These are proxy servers that are used to control the main component. The main purpose of these servers is to maintain the Shylock infection base by providing the following updated configuration files and modules to compromised computers:
- Binary files
- A hijackcfg module
- A httpinject module
When a compromised computer performs one of the new, additional modules, it sends a report log to the C&C server. These logs are then redirected to the appropriate server using encrypted communication—the servers act as a secure socket layer (SSL) to each other. The servers use the following protocols when communicating with each other:
- SSH is fingerprinted as ''Debian 6'' (''OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)'')
- HTTPS response includes ''CentOS'' (''Server: Apache/2.2.15 (CentOS)'')
Five central C&C servers are currently controlling the Shylock botnet. These servers are situated in Germany and the United States at various hosting providers.
Evidence of a strain migration
At first, Shylock was specifically targeting computers located in the United Kingdom but it is now spreading to other countries. Also, as some financial institutions become less desirable as targets, either due to increased security measures or a lack of high-value business accounts, Shylock is refocusing its attacks on those offering potentially larger returns.
Figure 2. Computers infected with Shylock between 2011 and 2013
Figure 3. Targeted sectors
We expect to see new iterations of this threat in the wild and are continuing to monitor the threat landscape.
As always, we recommend that you follow best security practices and ensure that you have the most up-to-date software patches in place, and that you use the latest Symantec technologies and virus definitions to ensure that you have the best protection against threats.