Researchers at Symantec have identified several new functionality modules for the banking trojan, which it says is targeting about 60 financial institutions around the world at the moment, mostly in the UK. The new bells and whistles range from the utilitarian (video compression for easier uploading of video files) to the efficiency-minded (Ftpgrabber enables the collection of saved passwords from a variety of applications).
It also features modules aimed at propagation: DiskSpread and MsgSpread enable Shylock to spread over attached drives and through Skype instant messages, respectively. The latter functionality was first seen in January.
A new module called BackSocks lets a compromised computer to act as a proxy server, while VNC provides the attacker with a remote desktop connection to the compromised computer.
In addition to the souped up capabilities, Shylock is going global, spreading notably to Italy and the US.
“Shylock was specifically targeting computers located in the United Kingdom but it is now spreading to other countries,” Symantec noted in a blog post. “Also, as some financial institutions become less desirable as targets, either due to increased security measures or a lack of high-value business accounts, Shylock is refocusing its attacks on those offering potentially larger returns.”
Right now, five central command-and-control (C&C) servers are currently controlling the Shylock botnet. These servers are situated in Germany and the US at various hosting providers.
The main purpose of Shylock is to perform a man-in-the-browser (MITB) attack against a configured list of target organization websites. The attack is used to steal user credentials and apply social engineering tactics in order to convince the user to perform fraudulent transactions at the target institution. The Trojan employs a robust infrastructure that allows for redundancy and load-balancing during periods of high traffic, whereby servers will redirect compromised computers to another server depending on the number of incoming connections.
When a compromised computer performs one of the new, additional modules, it sends a report log to the C&C server, which is how they were discovered. These logs are then redirected to the appropriate server using encrypted communication – the servers act as a secure socket layer (SSL) to each other.
Shylock continues to morph in its pathology. Recently it was found to have evolved the ability to identify and avoid remote desktop environments – a setup commonly used by researchers when analyzing malware.
“As always, we recommend that you follow best security practices and ensure that you have the most up-to-date software patches in place,” Symantec noted.