A global law enforcement operation seized control of the backbone supporting Shylock, a dangerous Trojan that is notorious for quickly siphoning money from bank accounts before rapidly moving on to infect another victim.
The operation announced by Europol Thursday, seized the command and control servers used by criminals to communicate orders to at least 30,000 Microsoft Windows PCs infected with Shylock. The operation was led by the UK National Crime Agency and included joint assistance from Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab and the U.K.'s Government Command Headquarters.
The seizure is expected to severely cripple the malware, said Andy Archibald, deputy director of the National Crime Agency's National Cyber Crime Unit in the U.K. The country has the largest percentage of infected systems, but the U.S., Italy and Turkey were also hit hard by Shylock.
"This phase of activity is intended to have a significant effect on the Shylock infrastructure and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime," Archibald said in a statement.
Shylock got its name because its code base contains excerpts from Shakespeare's "The Merchant of Venice." The authors of the malware are still at large, according to Europol. The malware uses a man-in-the-browser attack technique, enabling the criminals controlling Shylock to inject code into the victim's browser and authenticate transactions, including high-value money transfers without the victim's knowledge.
"Victims are typically infected by clicking on malicious links and then persuaded to download and run the malware," Europol said in a statement announcing the operation. "Shylock will then seek to access funds held in business or personal bank accounts and transfer them to the criminal controllers."
In addition to phishing email, the malware spreads through Skype instant messages. Shylock was controlled by at least 53 command and control servers, according to Dell SecureWorks, which has been monitoring the botnet. The Trojan seeks out network shares to infect additional systems, quickly establishing a group of infected systems in certain regions.
The Trojan is believed to have ties to criminals in Russia, according to a Symantec analysis of Shylock issued Friday. It has been distributed in five attack toolkits, including Black Hole, Cool, Magnitude, Nuclear and Styx, enabling the attacks to be customized to banking customers in certain regions, Symantec said.
"Shylock is without a doubt a finely tuned and profitable enterprise that has continued to grow in 2014," Symantec said.
It is the second global operation within the past month against major financially motivated cybercriminal organizations believed to be located in Eastern Europe and Russia. In June, law enforcement in 10 countries, aided by Dell SecureWorks and other security firms, cracked down against the Gameover Zeus botnet, which is believed to have spread the Cryptolocker ransomware. The sole operator behind that campaign, a 30-year-old Russian man, is being sought by the FBI. A Zeus malware infection at a Pennsylvania plastics manufacturer transferred nearly $375,000 from its corporate bank account in less than 24 hours, according to court documents associated with the botnet seizure operation.
Financially motivated attacks aimed at stealing credit and debit cards from retailer systems and others targeting online banking users are a constant problem with no immediate end in sight, said Kevin Wheeler, founder and managing director at Dallas-based information security services company InfoDefense. While much of the attention is focused on consumers, it is a serious concern to business owners trying to avoid costly employee mistakes that end up with systems infected with malware, Wheeler said.
Banking malware sophistication is rising, according to security experts. Wheeler said it is driving data loss prevention and encryption to protect sensitive corporate data and other technologies designed to monitor the behavior of endpoint systems to spot and address suspicious activity quickly.
"Organizations typically start with perimeter protection, but a lot of the interest we are seeing is being driven by the threat landscape," Wheeler said.
PUBLISHED JULY 11, 2014