Symantec has detected a new variant of the Shylock banking Trojan, which contains updated features designed to evade detection.
Shylock spreads via social engineering and contains a new mechanism that changes the malware every time it is downloaded to help it evade detection by signature-based antivirus.
"These updates to Shylock are reported to be causing numerous problems relating to hidden files for Internet forum users," Symantec said in an analysis of the Shylock Trojan, issued today.
Shylock targets two Java vulnerabilities, which have been patched by Oracle. Once the loader is installed, it connects to a remote server to receive the Shylock hijacker, the main component that collects information about the compromised computer and sends it to the command-and-control [C&C] server, Symantec said. In addition, the malware downloads a number of components, giving it additional capabilities.
The malware is designed to inject itself into a website, steal cookies and obtain banking account credentials. The malware can passively monitor user traffic or modify it in transit, researchers said. It can spread via removable drives and once it has successfully completed an attack, it uninstalls itself.
Symantec said it appears the malware attempts to trick users into downloading it by clicking on image files. "It spreads by replacing different types of document files, located in removable drives and network shares, with links to malicious executable files," Symantec said.
U.K. banks targeted by Shylock Trojan
Shylock was named after the Shakespearian moneylender who demanded a "pound of flesh" as penalty for an unpaid debt. It was first detected in 2011 by researchers at Boston-based Trusteer, and was mainly targeting U.K. banks, including HSBC, RBS and Santander's U.K. operations. Attacks were detected against users of Internet Explorer and Firefox running on Windows.
Shylock is one of a number of banking Trojans, including Zeus and SpyEye, which have been in widespread use by attackers. The malware is designed to steal account credentials and drain money from account holders. One of the tiniest banking Trojans, Tinba, was detected in May by Danish security firm CSIS Security Group A/S. It uses a tiny footprint to avoid detection, but also aims to steal login data and sniff network traffic. Tilon, banking malware detected earlier this month, uses a man-in-the-browser (MitB) attack to sniff traffic and steal credentials.