According to the in-browser web security software vendor, the malware has been observed abusing a large installed base of infected machines to attack global financial institutions.
Trusteer adds that it is still investigating the new financial malware, which it has temporarily named Shylock. Unlike the non-financial malware Ramnit - which the firm reported late last month had turned into a fraud platform - Shylock does not incorporate tactics from the infamous Zeus Trojan. It appears, says the firm, that criminals have developed custom financial fraud capabilities for the Shylock malware.
As reported late last month, Ramnit was found to be using Zeus-like strategies to propagate and infect users' PCs.
The malware – a recode of Win32.Ramnit (first seen 18 months ago) – has the ability inject HTML code directly into the web browser client, so side-stepping conventional two-factor authentication plus transaction signing systems used by financial institutions to protect their users' online banking sessions
With Shylock, however, Trusteer says that cybercriminals have developed customised financial fraud capabilities for the malware, including an improved methodology for injecting code into additional browser processes to take control of the victim's computer, and an improved evasion technique to prevent malware scanners from detecting its presence.
One nasty feature of the malware, says the firm, is a sophisticated watchdog service that allows it to resist removal attempts and restore operations.
“As with all financial fraud toolkits, Shylock's detection rate among anti-malware solutions and fraud detection systems is extremely low”, said Amit Klein, Trusteer's CTO.
“The ability of cyber criminals to develop, distribute, and operate new tools under the radar of the industry is troubling. Enterprises and individuals continue to rely on security architectures that were designed 20 years ago and have limited value in protecting their critical assets against cybercrime attacks”, he added.