Shylock Explained: How the NCA Got its Pound of Flesh

Written by

New information has been released detailing the coordinated UK-led international effort required to successfully wipe out the notorious banking malware Shylock, the first European takedown of its kind.

Shylock first burst onto the scene in 2011, when Trusteer researchers spotted a banking trojan with a difference – this one was designed to hide itself from detection, using encryption and obfuscating phone home traffic via domain generated algorithm.

The malware – so-named because of references to Shakespeare in its code – also featured functionality enabling it to resist removal attempts and restore itself on reboot.

What’s more, the threat was particularly difficult to spot, as it relied on drive-by or watering hole attacks, which compromise legitimate and innocuous looking sites.

According to a new Bloomberg report, the UK’s National Crime Agency (NCA) met in late 2013 – deciding that because the vast majority of victims were in the UK, it should lead the effort to dismantle the operation.

Operation Disputed began on 8 July 2014 with the help of Europol and Microsoft, which served a court order on registry VeriSign to divert Shylock’s US domains to a sinkhole.

Then began a game of ‘whack-a-mole’ as law enforcers attempted to seize C&C servers and block domains in the Shylock infrastructure across the globe – from the Cook Islands to the UK – with the bot herders setting up anew as quickly as they were taken down.

The breakthrough apparently happened when the Disputed team contacted Eugene Kaspersky to ask for help in contacting the registries responsible for many of the Shylock domains hosted on .su – the old Soviet Union domain.

Pulling in this local resource ensured around 75 of the offending domains were shut down within hours, the report claimed.

NCA lead Paul Hoare told Bloomberg the agency has had no banking losses reported since, although the gang remains at large.

Malwarebytes malware intelligence analyst, Chris Boyd, cautioned that the group will likely be back.

“It’s frustrating to know that for all the coordinated actions taken by law enforcement the bulk of the gang remain at large and will likely return to peddle more malware,” he told Infosecurity.

“The major worry is that Shylock has been around for many years and was already fairly advanced when it began infecting computers. One can only guess at the sophistication of any new files they’ll bring online. For this criminal gang, all the world’s a stage – and their entrance is long overdue.”

What’s hot on Infosecurity Magazine?