Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Shylock Financial Malware Plays Hide And Seek With Security Researchers

Tilon Malware

The Shylock financial malware has added new evasive capabilities, Trusteer researchers have found.

Tilon Malware

The Shylock financial malware has added new evasive capabilities, Trusteer researchers have found.

Shylock can now detect if it is being observed within a remote desktop session or being executed locally, Gal Frishman, the malware analysis team leader at Trusteer, wrote on the company blog on Wednesday. The Shylock dropper feeds invalid data into a certain routine and analyzes the error message to determine what kind of environment it is currently running on.

Depending on the error code it receives back Shylock is able to determine whether the session is a normal desktop or a remote desktop. If it turns out to be a remote desktop, Shylock won’t install itself, making it harder for researchers to analyze the sample, Frishman said.

More specifically, when the dropper is executed locally, the error code returned by the function SCardForgetReaderGroupA(0, 0) is either 0x80100011 (SCARD_E_INVALID_VALUE) or 0x2 (ERROR_FILE_NOT_FOUND). On the remote desktop, the returned code is 0x80100004 (SCARD_E_INVALID_PARAMETER), according to the blog post.

Skylock's Malware Evasion Techniques“Like most malware strains, Shylock continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises,” Frishman said.

Researchers generally collect malware samples on isolated machines and servers, Trusteer claimed. In many cases, researchers just use remote desktop sessions to access these systems in order to analyze the samples “from the convenience and coziness of their offices,” according to the blog post.

Shylock’s defensive strategy relies on this particular “human weakness,” Trusteer said.

The logic behind this tactic is pretty simple: If the malware doesn’t install on the researcher’s machine in the first place, it is harder for the researcher to analyze it and generate a signature to detect the malware. The dropper can use this method to identify other known or proprietary virtual and sandbox environments as well, Trusteer explained.

Malware strains are increasingly using various approaches to identify the execution environments, Trusteer said. For example, there are several pieces of malware which wont execute or infect a virtual machine. That specific maneuver is based on the fact that many honeypots are virtual machines.

Over the summer, Trusteer identified another financial malware, Tilon, which had added new advanced evasive capabilities. Tilon injects itself into the browser to launch “man in the browser” (MitB) attacks and installs itself as a service with a genuine-looking name and a random executable name. Tilon is one of the strains that won’t install on a virtual machine, according to Trusteer.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.