CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Shylock Financial Malware Plays Hide And Seek With Security Researchers

Tilon Malware

The Shylock financial malware has added new evasive capabilities, Trusteer researchers have found.

Tilon Malware

The Shylock financial malware has added new evasive capabilities, Trusteer researchers have found.

Shylock can now detect if it is being observed within a remote desktop session or being executed locally, Gal Frishman, the malware analysis team leader at Trusteer, wrote on the company blog on Wednesday. The Shylock dropper feeds invalid data into a certain routine and analyzes the error message to determine what kind of environment it is currently running on.

Depending on the error code it receives back Shylock is able to determine whether the session is a normal desktop or a remote desktop. If it turns out to be a remote desktop, Shylock won’t install itself, making it harder for researchers to analyze the sample, Frishman said.

More specifically, when the dropper is executed locally, the error code returned by the function SCardForgetReaderGroupA(0, 0) is either 0x80100011 (SCARD_E_INVALID_VALUE) or 0x2 (ERROR_FILE_NOT_FOUND). On the remote desktop, the returned code is 0x80100004 (SCARD_E_INVALID_PARAMETER), according to the blog post.

Skylock's Malware Evasion Techniques“Like most malware strains, Shylock continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises,” Frishman said.

Researchers generally collect malware samples on isolated machines and servers, Trusteer claimed. In many cases, researchers just use remote desktop sessions to access these systems in order to analyze the samples “from the convenience and coziness of their offices,” according to the blog post.

Shylock’s defensive strategy relies on this particular “human weakness,” Trusteer said.

The logic behind this tactic is pretty simple: If the malware doesn’t install on the researcher’s machine in the first place, it is harder for the researcher to analyze it and generate a signature to detect the malware. The dropper can use this method to identify other known or proprietary virtual and sandbox environments as well, Trusteer explained.

Malware strains are increasingly using various approaches to identify the execution environments, Trusteer said. For example, there are several pieces of malware which wont execute or infect a virtual machine. That specific maneuver is based on the fact that many honeypots are virtual machines.

Advertisement. Scroll to continue reading.

Over the summer, Trusteer identified another financial malware, Tilon, which had added new advanced evasive capabilities. Tilon injects itself into the browser to launch “man in the browser” (MitB) attacks and installs itself as a service with a genuine-looking name and a random executable name. Tilon is one of the strains that won’t install on a virtual machine, according to Trusteer.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.