Connect with us

Hi, what are you looking for?


Malware & Threats

Caphaw Financial Malware Surge Hits Customers of 24 Major Banks

A notorious piece of financial malware has been surging lately, and is targeting the credentials and information of customers of two dozen banks. 

A notorious piece of financial malware has been surging lately, and is targeting the credentials and information of customers of two dozen banks. 

According to Zscaler, infections of the Caphaw malware – also known as Shylock – have risen recently. The malware was first spotted in 2011, and functions similar to other financial malware like Carberp. Currently, attackers are focusing their efforts on customers of major banks in Europe, and previous analysis has show n the malware is most active in the U.K., Italy, Turkey and Denmark.

“Caphaw avoids local detection by injecting itself into legitimate processes such as explorer.exe or iexplore.exe, while simultaneously obfuscating its phone home traffic through the use of Domain Generated Algorithm created addresses using Self Signed SSL certificates,” blogged Sachin Deodhar and Chris Mannon at Zscaler’s ThreatLabZ. “This limits the ability of traditional network monitoring solution to dissect the packets on the wire for any malicious transactions.”

Banking Malware“The geoip (location) information derived from the infected host is of special significance to this malware,” the researchers continued. “The malware leverages the following legitimate URL: hxxp:// to discover geoip information about its freshly infected victim.  Administrators should view this transaction as a starting point for their investigation into any suspicious activity. It is not a malicious service, but illustrates how malware writers can leverage even legitimate services. The infection uses the output of this script to extract location information about the infected host/victim.”

So far, the initial infection vector has not been determined, though Zscaler suspects it is being delivered via an exploit kit exploiting vulnerabilities in Java due to the fact that the user agent for every single transaction that has come through Zscaler’s Behavioral Analysis solution has been: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_07.

Across all 64 distinct samples Zscaler has collected, there have been 469 distinct IPs where there has been a call to a DGA (domain generation algorithm) location. DGA is used by multiple malware authors in the name of obfuscation, including the PushDo botnet and the TDL/TDSS malware.

“A domain generation algorithm (or DGA) represents an algorithm seen in various families of malware to generate a large number of quasi-random domain names,” the researchers noted. “These can be used to identify the malware’s command and control (CnC) servers so that the infected hosts can “dial home” and receive/send commands/data. The large number of potential rendezvous points with randomized names makes it extremely difficult for investigators and law enforcement agencies to identify and “take down” the CnC infrastructure. Furthermore, by using encryption, it adds another layer of difficulty to the process of identifying and targeting the command and control assets.”

Some of the banks being targeted by the malware include SunTrust, Wells Fargo and Sovereign Bank. A list of the remaining banks can be found on the Zscaler blog.

Advertisement. Scroll to continue reading.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...