Trusteer warned that a second non-financial malware variant called Shylock has been retrofitted with fraud capabilities and is abusing its large installed base of infected machines to attack global financial institutions.
Unlike the non-financial malware Ramnit which turned into a fraud platform, Shylock doesn’t incorporate tactics from the infamous Zeus Trojan.
It appears criminals have custom developed financial fraud capabilities for Shylock.
Shylock uses unique mechanisms not found in other financial malware toolkits, including:
- An improved method for injecting code into additional browser processes to take control of the victim’s computer
- A better evasion technique to prevent malware scanners from detecting its presence
- A sophisticated watchdog service that allows it to resist removal attempts and restore operations.
“As with all financial fraud toolkits, Shylock’s detection rate among anti-malware solutions and fraud detection systems is extremely low,” said Amit Klein Trusteer’s CTO. “The ability of cyber criminals to develop, distribute, and operate new tools under the radar of the industry is troubling. Enterprises and individuals continue to rely on security architectures that were designed 20 years ago and have limited value in protecting their critical assets against cybercrime attacks.”