Two dozen major U.S. and European banks are in the crosshairs of the Shylock, or Caphaw, financial malware of late, and victims who trade with one of the 24 financial institutions are at risk of giving up their credentials and losing assets in their accounts.
Malware researchers have noticed a rise in infections of late; the malware has been in circulation since 2011, however. While the initial infection point is unknown, the malware is adept at hiding its tracks. It uses a Domain Generation Algorithm to route phone-home traffic through a number of IPs created using self-signed SSL certificates.
“This limits the ability of traditional network monitoring solutions to dissect the packets on the wire for any malicious transactions,” said Zscaler researchers Sachin Deodhar and Chris Mannon in a blogpost today. Most of the infections, they said, are happening in the U.K., Italy, Denmark and Turkey.
DGA has been used previously by other malware families to disguise themselves from detection services and software. Domain generation algorithms periodically generate and test new domain names and determine whether a command and control server responds to a request. Static reputation servers that maintain lists of C&C domains don’t fare well against DGA. On the attacker’s end, by using DGA, they don’t need to manage a command and control infrastructure of servers that can be targeted by researchers and law enforcement for takedown.
Botnets and malware families such as PushDo, Zeus and TDL/TDSS also use DGA to attack financial customers, send spam or assist in targeted attacks against government, military and political organizations.
Shylock has been modified many times, adding features that help it slip past security detection software and services and frustrate researchers trying to analyze it. It has also added features such as webinjects to help it install malware on compromised machines on the fly, and plug-ins that help it spread over Skype instant messages.
In the latest string of infections, the attackers are using a piece of javascript from the legitimate MaxMind GeoIP IP address location database to obtain location information about new victims.
“Administrators should view this transaction as a starting point for their investigation into any suspicious activity,” the researchers wrote. “It is not a malicious service, but illustrates how malware writers can leverage even legitimate services.”
Experts speculate that an exploit kit is serving up the latest Caphaw infections and exploiting vulnerabilities in Java to get onto a victim’s machine. It then drops an executable that varies for every infection, putting a damper on the ability to detect infections.
“The large number of potential rendezvous points with randomized names makes it extremely difficult for investigators and law enforcement agencies to identify and take down the CnC infrastructure,” the Zscaler researchers wrote. “Furthermore, by using encryption, it adds another layer of difficulty to the process of identifying and targeting the command and control assets.”
To date, Zscaler has found 64 Caphaw samples and 469 IP addresses making a call to a DGA location.
The malware does what it can to survive and persist on a machine; it can determine whether it’s being executed in a virtual machine and whether the host is online. If either fails, the malware will not execute. To maintain persistence, it creates an autorun registry entry and augments system processes to hinder its removal, the researchers said.
The researchers provided the list of 24 banks being targeted:
- Bank of Scotland
- Barclays Bank
- First Direct
- Santander Direkt Bank AG
- First Citizens Bank
- Bank of America
- Bank of the West
- Sovereign Bank
- Co-operative Bank
- Capital One Financial Corporation
- Chase Manhattan Corporation
- Citi Private Bank
- Comerica Bank
- E*Trade Financial
- Harris Bank
- Intesa Sanpaolo
- Regions Bank
- SunTrust
- Bank of Ireland Group Treasury
- U.S. Bancorp
- Banco Mercantil, S.A.
- Varazdinska Banka
- Wintrust Financial Corporation
- Wells Fargo Bank