X

Shylock malware gets stung by law enforcement

Police and security firms team up to take down the notorious Shylock, a dangerous financial Trojan that has infected at least 30,000 Windows computers worldwide.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read

safe-deposit-vaults.jpg
Jon Skillings/CNET

International law enforcement and security experts have disrupted the activities of the financial Trojan Shylock, according to the UK National Crime Agency.

The global takedown, announced Thursday, was led by the NCA alongside the FBI, Europol, Dell SecureWorks, GCHQ, Kaspersky Lab and other security firms. The groups "jointly addressed" the Shylock Trojan, seizing the command and control servers -- which relay instructions to the malware -- in a series of stings, as well as taking control of the domains Shylock uses for communication between infected computers.

Shylock is so called because the malicious code contains excerpts from Shakespeare's "Merchant of Venice." Security experts at Symantec say that the Trojan is "seen as one of the world's most dangerous financial Trojans" as it is designed to intercept banking transactions conducted online and lifts victim credentials as a result.

More advanced than other banking Trojans, Shylock has a targeted distribution network that allows the cyberattackers to infect victims through multiple channels, and the Trojan has been continuously updated in response to countermeasures set by targeted banks. In addition, the malware is modular, allowing criminals to change its functionality quickly and easily.

Shylock is privately owned and has not been seen for sale in underground markets.

The stings were conducted from the European Cybercrime Centre (EC3) at Europol in The Hague, and investigators worldwide from the NCA, FBI, the Netherlands, Turkey and Italy coordinated action in their respective countries, acting at the same time as counterparts in Germany, Poland and France.

Symantec estimates that the cybercriminals behind Shylock have stolen several million dollars from victims over the past three years. The NCA estimates that Shylock has infected at least 30,000 Windows computers worldwide, with the UK targeted more than any other country.

Symantec's estimates for Shylock's geographical targeting is shown below.

Troels Oerting, head of EC3 at Europol, said:

The European Cybercrime Centre is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure. [..] We have been able to support frontline cyber investigators, coordinated by the UK's NCA, and working with the physical presence of the United States' FBI and colleagues from Italy, Turkey and the Netherlands, with virtual links to cyber units in Germany, France and Poland.

This article originally appeared at ZDNet under the headline "Police, security firms team up and take down Shylock malware."