A stealthy banking Trojan known as Caphaw or Shylock has resurfaced – and is attacking customers of 24 American banks. It’s armed with defensive and stealth abilities including the power to “restore” itself during shutdown.
The malware is described as “one of the few that can steal money while a user is accesing his bank acount,” by ESET Security Intelligence Team Lead, Aleksandr Matrosov, who published a detailed analysis of the malware this year.
“It is an interesting financial malware family: one of the few that has autoload functionality for automatically stealing money when the user is actively accessing his banking account. An infected user can’t recognize that his money is being stolen,” Matrosov writes.
“This threat has many techniques for bypassing security software and evading automated malware samples processing.”
Zscaler said in a blog post, “Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users’ bank accounts since 2011. You may recognize this threat from research done by WeLiveSecurity earlier this year in regards to this threat targeting EU Banking sites. This time would appear to be no different. So far, we have tied this threat to monitoring it’s victims for login credentials to 24 financial institutions.”
Security firm Zscaler reported an increase in detections of the malware this week, targeting 24 U.S. banks including Chase Manhattan, Bank of America, Citi and Wells Fargo. First detected in 2011, the malware targeted European customers in the United Kingdom, Italy, Denmark and Turkey.
Zscaler researchers said that the malware was likely spreading via an exploit kit via vulnerable versions of Java.
At this moment, ESET Virus Radar shows an increase in infections in North America. Zscaler warns that the stealthy nature of the malware means it is difficult to detect – more details on the stealth capabilities of this malware can be found in Matrosov’s analysis.
“Caphaw can control the reboot/shutdown process and makes it possible for the malware to restore itself after some antivirus cleaning procedures have been carried out,” Matrosov said in his post.
Author Rob Waugh, We Live Security