A new variant of the banking virus known as Shylock has been detected by Swift, it includes the capability to spread over Skype.
Shylock is a well known entity for security community, the malware was detected for first time in 2011 by whitehats from Trustee firm, it is used to steal banking credentials from its victims and is considered one of the most successful virus for banking.
The first version of the malware demonstrated improved methodology for injecting code into browser to remote control the victim and an improved evasion technique to prevent detection by popular antivirus software.
As many other malware (e.g. Zeus) it has been update in the time, in many cases the provisioning of a malware has been done through the malware-as-service model in adopted by author to implement various requests of the clients.
The news revealed that that the authors of shylock have implemented a plugin named “msg.gsm” that allows the code to spread through the popular VOIP client including the following functionality:
- Sending messages and transferring files
- Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
- Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
- Sends request to server: https://a[removed]s.su/tool/skype.php?action=…
The CSIS published the data on geographic distribution of the malicious agent that hit mainly Europe and US in particular UK users.
The malware is able to manipulate Skype history and steal files from the victims bypassing Skype warning/restriction for connecting to Skype displayed every time a third party application try access to the services of the popular application.
The malware could also steal cookies, inject HTTP into a website, setup VNC and upload files and among other functions included the possibility to spread through local shares and removable drives
Shylock is considered a serious banking cyber threat especially in the future due its constant update and the introduction of new feature to increase spread capabilities and evade detection activities.