News Feature | August 6, 2014

International Partnership Works To Bring Down Shylock Trojan

Christine Kern

By Christine Kern, contributing writer

Data Security

The success of the sting highlights the potential of future collaborative prevention

A partnership of international law enforcement and security experts has disrupted the activities of the financial Trojan Shylock, according to the UK National Crime Agency. The global takedown, announced July 10, coordinated by the UK National Crime Agency (NCA), brought together partners from the law enforcement and private sectors, including Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab, and the UK's GCHQ (Government Communications Headquarters) to combat the threat.

On July 8 and 9, law enforcement agencies took action to disrupt the system that Shylock depends on to operate. This comprised the seizure of servers which form the command and control system for the Trojan, as well as taking control of the domains Shylock uses for communication between infected computers, according to Europol.

Shylock is named after the principal antagonist in Shakespeare's Merchant of Venice. The malicious code within the Trojan contains excerpts from the literature. Security experts at Symantec say that the Trojan is “seen as one of the world's most dangerous financial Trojans” as it is designed to intercept banking transactions conducted online and lifts victim credentials as a result. It has infected at least 30,000 computers running Microsoft Windows worldwide. Intelligence suggests that Shylock targets the U.K. more than any other country; nevertheless the U.S., Italy, and Turkey are also being targeted hard by the malicious code. It is thought that the suspected developers are based elsewhere.

More advanced than other banking Trojans, Shylock has a targeted distribution networks that allows the cyber attackers to infect victims through multiple channels. The Trojan has been continuously updated in response to countermeasures set by targeted banks. In addition, the malware is modular, allowing criminals to change its functionality quickly and easily. Shylock is privately owned and has not been seen for sale in underground markets.

The stings were conducted from the European Cybercrime Centre (EC3) at Europol in The Hague, and investigators worldwide from the NCA, FBI, the Netherlands, Turkey, and Italy coordinated action in their respective countries, acting at the same time as counterparts in Germany, Poland, and France.

Victims are typically infected by clicking on malicious links, and then persuaded to download and run the malware. Shylock will then seek to access funds held in business or personal bank accounts, and transfer them to the criminal controllers.

"The European Cybercrime Centre is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure,” says Troels Oerting, head of EC3 at Europol. “EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and cyber experts.” Oerting continues, “In this way, we have been able to support frontline cyber investigators, coordinated by the U.K.'s NCA, and working with the physical presence of the United States’ FBI and colleagues from Italy, Turkey, and the Netherlands, with virtual links to cyber units in Germany, France, and Poland.”

Andy Archibald, Deputy Director of the NCA's National Cyber Crime Unit in the U.K., says, “The NCA is coordinating an international response to a cybercrime threat to businesses and individuals around the world. This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime.” The success of this international operation demonstrates the potential of such joint operations in combatting future cyber-criminal activity.