All That Glitters Is No Longer Gold – Shylock Trojan Gang Hit by Takedown
By: Symantec’s Security Response Team
An international law enforcement operation has struck a major blow against the gang behind Shylock, one of the world’s most dangerous financial Trojans. The takedown, which was led by the UK National Crime Agency, resulted in the seizure of command and control (C&C) servers, in addition to domains that Shylock uses for communication between infected computers.
Trojan.Shylock is designed to intercept online banking transactions and steal victims’ credentials. The gang behind it appears to be based in Russia or Eastern Europe and its main target is customers of UK banks. It has also hit financial institutions in a number of other European countries and the US. Shylock is more advanced than many other financial Trojans:
- The attackers behind Shylock have an advanced, targeted distribution network that allows them to infect victims in selected countries through multiple channels;
- The attackers have a professional attitude and Shylock has been continually updated in response to security countermeasures employed by targeted banks;
- The malware is modular in nature, which allows the attackers to easily extend or change its functionality;
- The Shylock Trojan is privately owned and not for sale on the underground market.
Symantec estimates that the gang behind Shylock has stolen several million dollars from victims over the past three years and over 60,000 infections were detected in the past year. They continuously develop new features, react quickly to online banking countermeasures, and use advanced distribution channels to infect the end user. Shylock is without a doubt a finely tuned and profitable enterprise that has continued to grow in 2014. Combating a threat like Shylock requires the cross border cooperation between private industry and law enforcement. Symantec is committed to sharing information with international law enforcement and private industry partners to this end.
Symantec customers should not be alarmed as they are already protected against Shylock under the following detection names:
Intrusion Prevention Signatures