An old malware variant has revisited roughly two dozen financial institutions — among them Bank of America, Capital One, U.S. Bancorp and Sovereign Bank — according to in-the-cloud security company Zscaler.
Over the past month, researchers have noticed that Win32/Caphaw, also known as Shylock, has been used in attempts to steal bank customers’ credentials.
The variant is a back door of sorts. After it leaches on to a hard drive, it allows back-door access and control of a computer. It may be used to conduct distributed denial of service (DDoS) attacks, or it may be used to install additional Trojans or other forms of malicious software, according to a Microsoft website. For example, it might be used to install a downloader or dropper Trojan, which may in turn install a proxy Trojan used to relay spam or a keylogger Trojan that monitors and sends keystrokes to remote attackers. It might also open ports on the affected system and thus potentially lead to further compromise by other attackers. It uses Skype to send messages and files, according to a Microsoft security blog post.
The malicious software has been targeting financial services firms’ data since 2011, said Zscaler.
"These attacks are carried out utilizing stealth tactics both on and off the wire," said Chris Mannon, a security researcher at Zscaler, in a blog post. "Caphaw avoids local detection by injecting itself into legitimate processes."
To be clear, Zscaler, which sells services to combat such attacks and claims to secure devices, has a financial motive in pointing out the increase.
The Caphaw variant is a fusion of Conficker and Zeus, says David Jevans, the founder, chairman and CTO of mobile security cloud company Marble Security.
"Zeus is the banking Trojan that we run into most often. It takes over bank accounts, and it tends to be focused on midsized banks," he says. "Conficker was one of the most sophisticated Trojans that used domain generation algorithms to avoid blocking and detection at the network level."
Regardless, Caphaw is just the latest in a string of malware developments that have been plaguing banks.
For instance, over the summer, the source code behind the crimekit Carberp was leaked onto the internet.
At the time, the banking malware, which acts as a software development kit allowing someone with little programming skill to enact customized attacks, was set to increase the amount of new variant strains exponentially.
Caphaw, like many Trojans, can complete a variety of criminal tasks, from sending out a wire transfer to stealing to sending victims’ personal files somewhere else.
But those same similarities should work against the malware, says Ken Baylor, a research vice president at information security research and advisory company NSS Labs.
"As far as methodology, there's nothing new here. [Banking Trojan] Zeus has been doing all of this for a while," he says. "It's a new Trojan, but it hasn't broken the mold, it’s just following true and trusted Zeus tactics."
That means banks that have taken a methodical approach to their security shouldn’t have a problem.
"It's similar to fighting Zeus," says Baylor. "Banks need to put customer-facing anti-fraud tools on the [customer’s] computer. They need a back-end risk engine that compares known good transactions on a per-customer basis with the current transaction."
He added that banks can also check the IP addresses of any device trying to sign in to an online portal. "Is it in the same country or region it is purporting to be [based on geolocation data]?" says Baylor. They can conduct velocity checks. "Did you just click thru 35 pages in 1.4 seconds? You are a bot, not a human."
They can also check the previous payee list. "Have I ever paid you anything before, or are you totally new to the account?" Baylor explains.
He adds that these measures should catch nearly all of these types of attacks.