Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Caphaw Financial Malware Surge Hits Customers of 24 Major Banks

A notorious piece of financial malware has been surging lately, and is targeting the credentials and information of customers of two dozen banks. 

A notorious piece of financial malware has been surging lately, and is targeting the credentials and information of customers of two dozen banks. 

According to Zscaler, infections of the Caphaw malware – also known as Shylock – have risen recently. The malware was first spotted in 2011, and functions similar to other financial malware like Carberp. Currently, attackers are focusing their efforts on customers of major banks in Europe, and previous analysis has show n the malware is most active in the U.K., Italy, Turkey and Denmark.

“Caphaw avoids local detection by injecting itself into legitimate processes such as explorer.exe or iexplore.exe, while simultaneously obfuscating its phone home traffic through the use of Domain Generated Algorithm created addresses using Self Signed SSL certificates,” blogged Sachin Deodhar and Chris Mannon at Zscaler’s ThreatLabZ. “This limits the ability of traditional network monitoring solution to dissect the packets on the wire for any malicious transactions.”

Banking Malware“The geoip (location) information derived from the infected host is of special significance to this malware,” the researchers continued. “The malware leverages the following legitimate URL: hxxp://j.maxmind.com/app/geoip.js to discover geoip information about its freshly infected victim.  Administrators should view this transaction as a starting point for their investigation into any suspicious activity. It is not a malicious service, but illustrates how malware writers can leverage even legitimate services. The infection uses the output of this script to extract location information about the infected host/victim.”

So far, the initial infection vector has not been determined, though Zscaler suspects it is being delivered via an exploit kit exploiting vulnerabilities in Java due to the fact that the user agent for every single transaction that has come through Zscaler’s Behavioral Analysis solution has been: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_07.

Across all 64 distinct samples Zscaler has collected, there have been 469 distinct IPs where there has been a call to a DGA (domain generation algorithm) location. DGA is used by multiple malware authors in the name of obfuscation, including the PushDo botnet and the TDL/TDSS malware.

“A domain generation algorithm (or DGA) represents an algorithm seen in various families of malware to generate a large number of quasi-random domain names,” the researchers noted. “These can be used to identify the malware’s command and control (CnC) servers so that the infected hosts can “dial home” and receive/send commands/data. The large number of potential rendezvous points with randomized names makes it extremely difficult for investigators and law enforcement agencies to identify and “take down” the CnC infrastructure. Furthermore, by using encryption, it adds another layer of difficulty to the process of identifying and targeting the command and control assets.”

Some of the banks being targeted by the malware include SunTrust, Wells Fargo and Sovereign Bank. A list of the remaining banks can be found on the Zscaler blog.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.