NCA, FBI, Europol Take Down Shylock Banking Malware

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

On July 8 and 9, 2014, the U.K.'s National Crime Agency (NCA) worked with Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab and the U.K.'s Government Communications Headquarters (GCHQ) to seize command and control servers and domains used by the Shylock banking Trojan.

The operation was run from Europol's European Cybercrime Center (EC3) in the Hague, with investigators from the U.K., the U.S., Italy, the Netherlands, Turkey, Germany, France and Poland participating.

"It has been a pleasure for me to see the international cooperation between police officers and prosecutors from many countries, and we have again tested our improved ability to rapidly react to cyber threats in or outside the EU," EC3 head Troels Oerting said in a statement. "It's another step in the right direction for law enforcement and prosecutors in the EU, and I thank all involved for their huge commitment and dedication."

The Shylock malware, which contains excerpts from Shakespeare's "Merchant of Venice" in its code, has infected more than 30,000 Windows PCs worldwide. The malware was first uncovered by Trusteer researchers in September of 2011.

Victims are usually infected when they click on malicious links and are then persuaded to download and run the malware, which is designed to access and transfer funds held in the victims' online bank accounts.

Jason Milletary, technical director for malware analysis at Dell SecureWorks Counter Threat Unit (CTU), told SC Magazine that Shylock often spreads via Skype or local shares and removable drives, and is capable of injecting fake chat screens into Web pages.

"[Attackers] try to trick the users into believing they are communicating with a bank [representative] when, in fact, they are communicating with the criminal," Milletary said. "They were getting information they needed to impersonate the victim [when] logging in."

All Windows users who haven't activated automated operating system updates are advised to visit this Microsoft Support page for information on preventing infection from Shylock and other malware.

"The NCA is coordinating an international response to a cybercrime threat to businesses and individuals around the world," Andy Archibald, deputy director of the NCA's National Crime Cyber Unit, said in a statement. "This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime."

"We continue to urge everybody to ensure their operating systems and security software are up to date," Archibald added.

Photo courtesy of Shutterstock.