04:50 PM
Connect Directly

Global Law Enforcement, Security Firms Team Up, Take Down Shylock

A la GOZeuS, an international, public-private collaboration seizes a banking Trojan's command and control servers.

A month after the GameOver ZeuS sting, another bank fraud group's operations has been disrupted by an international collaboration of security firms and law enforcement agencies. The new target is Shylock, a Trojan that has stolen from banks in the U.S., Italy, and especially the United Kingdom.

Today the U.K.'s National Crime Agency (NCA) announced that it has seized Shylock operators' command-and-control servers and taken control of the domains they use to communicate. The effort was led by NCA, and included  the FBI, the European Cybercrime Centre at Europol, GCHQ, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab, the German Federal Police, and others in Italy, Turkey, France, Poland, and the Netherlands.

“The NCA is coordinating an international response to a cyber crime threat to businesses and individuals around the world," said Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit, in a statement. "This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cyber crime impacting the UK."

“The European Cybercrime Centre (EC3) is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure," said Troels Oerting, head of the European Cybercrime Centre (EC3) at Europol, in a statement. "EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and cyber experts. In this way we have been able to support frontline cyber investigators."

Shylock, first discovered in 2011, is so named after the character Shylock in Shakespeare's "The Merchant of Venice," because the malware's code contains lines from the play. In March, Dell SecureWorkds named Shylock one of the Top Banking Botnets of 2013, citing that it was responsible for 7% of the banking malware it detected (behind only GameOver ZeuS, Citadel, and other variants of ZeuS).

Symantec estimates that the gang behind Shylock has stolen several million dollars from victims over the past three years. Over 60,000 infections were detected in the past year. Shylock spreads through a wide variety of vectors, including phishing messages, "malvertising," malicious PDFs, drive-by downloads, fake browser updates, removable media devices, Skype instant messages, and man-in-the-browser attacks. It uses several exploit kits, including Blackhole, Cool, Magnitude, Nuclear, and Styx.

According to Symantec, Shylock uses a technique termed automated-transaction-service (ATS), which can automatically send a logged-in user's credentials to the attacker and initiate fraudulent transactions in the background. It can hide its tracks by modifying account balances and transaction records or adjusting percentages and values of funds to evade fraud detection logic.

It's proven itself capable of defeating banks' two-factor authentication. In some cases, the attackers posed as bank representatives, opening chat windows to talk to customers and directly request all the account information needed to transfer money from the customer's account to another one held by the criminals. They even distract users, if necessary, by popping up phony security alerts.

According to NCA, "Intelligence suggests that Shylock has to date targeted the UK more than any other country, although the suspected developers are based elsewhere."

Symantec estimates that the UK is Shylock's largest target by far, claiming about 30% of the attackers' efforts over the past year. Why? As Symantec explains:

Despite high infection numbers, the attackers have maintained a very narrow geographical focus. The UK is by far its largest target. The country has a large banking customer base, a high online banking adoption rate, and a high number of wealthy citizens. The UK also has a relatively small number of banks relative to its size. Since the attackers have to tailor the malware to perform attacks on individual banks, this makes the UK market doubly attractive.

Shylock is probably owned and operated by one group of malicious actors based in Eastern Europe, and may be offered as a service to other criminal groups, according to Jason Milletary, technical director for malware analysis on the Dell SecureWorks' Counter Threat Unit (CTU) research team that worked on this project. This model is quite similar to that of GOZeuS, and quite unlike malware like BlackShades, which is sold on the black market to anyone for about $40 a pop.

As Symantec describes it:

The Shylock gang is a professional organization which appears to operate out of Eastern Europe. The platform is almost certainly developed in Russia and the developers appear to work a typical nine to five day, from Monday to Friday, indicating that this is a full-time operation.  The vast majority of binary compilations occurred on weekdays.

This effort to bring down Shylock is similar to the GOZeuS sting, not only because it's an international, public-private collaboration, but also because it aims at the criminal infrastrustructure rather than the malware or the criminals themselves.

When the GOZeuS sting was announced, law enforcement estimated that they could keep the malicious actors disrupted for roughly two weeks, expecting that it would take the bad guys about that long to set up new infrastructure. NCA has not released an estimate of how long they expect the Shylock operators to be out of commission.

That depends upon how motivated the criminals are, says Milletary. "The initial downtime might not be that long," he says, "but once you've started, you've got the process in place to continue to fight back. The groundwork has already been laid for a more significant disruption."

Milletary believes that "we'll continue to see these kinds of efforts going forward," because security companies will see value in collaborating not only with law enforcement but with their own competitors.

"A rising tide floats all boats," he says. "[Working together is] better for all our clients and the Internet in general."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 9:56:56 AM
Re: takedown season
It does seen counterintuitive. But I wonder if it's just a stopgap measure until they rebuild a more sophisticated infrastructure again. The only sure thing is they are making money and they will keep coming back from the dead after each disruption op.
Sara Peters
Sara Peters,
User Rank: Author
7/15/2014 | 9:43:33 AM
Re: takedown season
@Kelly  I know, right? It's been exhausting.  I find the latest GOZeus news interesting, because although there's some kind of resurgence, they've made the attack less sophisticated than it was before... I don't know what that means, but I think it must mean something.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:08:24 PM
takedown season
Lots of takedowns happening lately, which is progress. But then there's that problem of re-invention and resurgence. Even so, the more pressure on the bad guys from more sources, the better.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...