A new report from BAE Systems Detica provides a detailed analysis of the malware, showing how it works and how it is distributed. It shows that while the UK is not the only target (Italian banks have also been targeted recently), the UK is the prime target: 80% of targeted banks over the past two years have been UK banks. Furthermore, delivery is effected mainly through compromised legitimate UK sites – 61% of a sample 500 known compromised sites were UK websites.
Delivery is primarily through the drive-by or water hole technique. This was originally achieved via malvertising, where malicious code is inserted in adverts that are then placed on legitimate websites by the ad networks. Recently, however, the Shylock operators have taken "a more direct approach by actively compromising websites running outdated versions of popular web platforms, such as WordPress." These have included a site for London events/nightlife, a website of a popular TV chef and a website for a manufacturer of kitchen appliances.
A successful compromise inserts malicious javascript into a web page. This ultimately leads to an "alert bar that mimics the style of the browser in use and prompts the user to download a plugin in order to display media on the website. This is a very common social engineering technique to convince users into downloading and running an executable," says the report. The end result, of course, is the installation of the Shylock malware – but achieved by tried and tested social engineering rather than the hit-and-miss exploit kit approach used with other malware.
Once installed, the malware is controlled from command-and-control servers hosted "at large providers in multiple countries including the US, Germany and the UK." However, although the main targets appear to be UK banks, and although the majority of drive-by sites are UK websites, Detica doesn't believe that Shylock was developed in the UK.
"The cyber criminal gang behind Shylock still appear to be focused primarily on the UK, and recent notable upticks in Shylock-related activity detected in recent months over our UK client base suggest that they are not letting up. It is likely that local gang members are operating physically within the UK in order to cash out and launder stolen funds whilst the authors of Shylock are most likely not directly involved and thus out of reach of law enforcement. Russian code comments... suggest that the criminal gang is Eastern European but this could be a false flag planted to misdirect investigators."
David Harley, ESET senior research fellow, confirmed that UK banks are a major target. "Oddly enough," he told Infosecurity, "our detection telemetry is showing Namibia as the real hotspot right now, with lighter detection in South Africa. Detection is noticeably up in some parts of Eastern Europe, especially the Baltic states, but I can’t say whether this tells us anything about its origin."
Kaspersky Lab warned that there are many variants of Shylock. "The cybercriminals behind it continue to tweak the code," its researchers told Infosecurity, "to evade detection, to enhance the malware’s functionality and to try and ensure that it provides them with a return on investment." Anti-virus companies consequently use heuristics rather than signature recognition to detect Shylock – with the implication that its detection is possibly higher than that described by Detica.
The fact remains, however, that this is a sophisticated and adaptable piece of malware that frequently flies under the surface of many detection methodologies. “Today’s revelations," said David Bailey, CTO cyber security at Detica, "are a reminder of the agility of malicious cyber criminals and the fact that the UK is a prime target for damaging cyber attacks. The Shylock malware is highly sophisticated, and it is only through intuitive threat intelligence work and the continuing evolution of our cyber security technologies that its exact characteristics have been successfully detected."