Caphaw Financial Malware Surge Hits Customers of 24 Major Banks

A notorious piece of financial malware has been surging lately, and is targeting the credentials and information of customers of two dozen banks. 

According to Zscaler, infections of the Caphaw malware – also known as Shylock – have risen recently. The malware was first spotted in 2011, and functions similar to other financial malware like Carberp. Currently, attackers are focusing their efforts on customers of major banks in Europe, and previous analysis has show n the malware is most active in the U.K., Italy, Turkey and Denmark.

“Caphaw avoids local detection by injecting itself into legitimate processes such as explorer.exe or iexplore.exe, while simultaneously obfuscating its phone home traffic through the use of Domain Generated Algorithm created addresses using Self Signed SSL certificates,” blogged Sachin Deodhar and Chris Mannon at Zscaler’s ThreatLabZ. “This limits the ability of traditional network monitoring solution to dissect the packets on the wire for any malicious transactions.”

“The geoip (location) information derived from the infected host is of special significance to this malware,” the researchers continued. “The malware leverages the following legitimate URL: hxxp://j.maxmind.com/app/geoip.js to discover geoip information about its freshly infected victim.  Administrators should view this transaction as a starting point for their investigation into any suspicious activity. It is not a malicious service, but illustrates how malware writers can leverage even legitimate services. The infection uses the output of this script to extract location information about the infected host/victim.”

So far, the initial infection vector has not been determined, though Zscaler suspects it is being delivered via an exploit kit exploiting vulnerabilities in Java due to the fact that the user agent for every single transaction that has come through Zscaler’s Behavioral Analysis solution has been: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_07.

Across all 64 distinct samples Zscaler has collected, there have been 469 distinct IPs where there has been a call to a DGA (domain generation algorithm) location. DGA is used by multiple malware authors in the name of obfuscation, including the PushDo botnet and the TDL/TDSS malware.

“A domain generation algorithm (or DGA) represents an algorithm seen in various families of malware to generate a large number of quasi-random domain names,” the researchers noted. “These can be used to identify the malware’s command and control (CnC) servers so that the infected hosts can “dial home” and receive/send commands/data. The large number of potential rendezvous points with randomized names makes it extremely difficult for investigators and law enforcement agencies to identify and “take down” the CnC infrastructure. Furthermore, by using encryption, it adds another layer of difficulty to the process of identifying and targeting the command and control assets.”

Some of the banks being targeted by the malware include SunTrust, Wells Fargo and Sovereign Bank. A list of the remaining banks can be found on the Zscaler blog.