NCA Leads Global Shylock Malware Takedown

Shylock is the trojan's namesake because its code contains excerpts from Shakespeare's "The Merchant of Venice"
Shylock is the trojan's namesake because its code contains excerpts from Shakespeare's "The Merchant of Venice"

A major takedown of the Shylock Trojan botnet by global law enforcement has disrupted the core of an advanced cybercriminal infrastructure attacking online banking systems around the world.

Shylock – so-called because its code contains excerpts from Shakespeare's The Merchant of Venice – has infected at least 30,000 computers running Microsoft Windows worldwide, according to Europol. Intelligence suggests that Shylock targets the UK more than any other country; nevertheless the US, Italy and Turkey are also being targeted by the malicious code. It is thought that the suspected developers are based elsewhere.

Victims are typically infected by clicking on malicious links, and then persuaded to download and run the malware. Shylock will then seek to access funds held in business or personal bank accounts, and transfer them to the criminal controllers.

Investigative actions were undertaken from the operational center at the European Cybercrime Centre (EC3) at Europol in The Hague. In early July, law enforcement agencies seized the servers that form the command and control system for the trojan, and took control of the domains Shylock uses for communication between infected computers. During the action, several previously unknown parts of the infrastructure were discovered and follow-up actions could be initiated immediately, set-up and coordinated from the operational center.

The operation, coordinated by the UK National Crime Agency (NCA), brought together partners from the law enforcement and private sectors, including Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab and the UK's GCHQ.

"The European Cybercrime Centre (EC3) is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure,” said Troels Oerting, head of EC3 at Europol, in a statement. “EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber-analysts and cyber-experts".

Investigators from the NCA, the FBI, Italy, the Netherlands and Turkey gathered to coordinate action in their respective countries, in concert with counterparts in Germany, France and Poland. Coordination through Europol was instrumental, and CERT-EU participated in the takedown and distributed information on the malicious domains to their peers.

"It has been a pleasure for me to see the international cooperation between police officers and prosecutors from many countries, and we have again tested our improved ability to rapidly react to cyber threats in or outside the EU,” Oerting said. “It's another step in the right direction for law enforcement and prosecutors in the EU and I thank all involved for their huge commitment and dedication. A specific thanks goes to Kaspersky Lab who have contributed significantly to the successful outcome of the operation – and our cooperation continues to grow in this and future cases."

Sergey Golovanov, principal security researcher at Kaspersky Lab, who provided the threat intelligence service and tracked the malware activity within the global operation, noted that banking fraud campaigns are no longer one-off cases; rather, there has been a significant rise in these kinds of malicious operations.Just in 2013, the number of cyber-attacks involving malware designed to steal financial data increased by 27.6% to reach 28.4 million.

“To fight cybercrime, we provide threat intelligence to law enforcement agencies all over the world and cooperate with international organizations such as Europol,” Golovanov said, in a statement. “Global action brings positive results – an example being the operation targeting Shylock malware.”

What’s hot on Infosecurity Magazine?