Banking malware code known as Shylock has been modified and updated to be able to spread to devices using Microsoft’s Skype software, and is targeting African countries.
Shylock is financial malware discovered in 2011 by Trusteer. It’s a trojan that steals online banking credentials and information from user’s computers by using a methodology for injecting software code into additional Internet browser processes to take control of a computer.
It also comprises of an improved evasion technique that prevents malware detectors from detecting its presence on a computer.
It evades most malware detectors by deleting its installation files after being installed, runs only in memory, and continues running once an infected computer is rebooted.
Now it seems the malware has been updated with a further “trick” to enable it to spread to many more computers and unsuspecting users. CSIS, an IT Security company in Denmark, this week discovered that Shylock is “now capable of spreading using the popular Voice over IP service and software application, Skype.”
“This allows the malicious Trojan-banker to infect more hosts and continue to be a prevalent threat. Also, the timing does not seem completely coincidental as Microsoft just recently announced that they are discontinuing their Messenger solution and replacing it with Skype.”
Furthermore, according to the Danish IT security company, the malware’s activity is concentrated in “only a few parts of the world.”
These “few parts of the world” where Shylock is active include South Africa, Nigeria and Ghana with the epicenter, according to CSIS, of infections being primarily located in the UK.
In a statement, CSIS said “ If we look at sinkhole data collected by CSIS (illustrated below) it becomes quite clear that the attackers prefer to focus only on a few countries instead of random infections in different countries.“
To spread and infect computers using Skype, Shylock uses a malicious plugin to Skype it calls “msg.gsm”. This plugin apparently allows the malware to send messages and transfer files, clean messages and transfers from Skype history and even bypass the Skype warning for connecting to servers.
Shylock is named after a character in William Shakespeare’s The Merchant of Venice who was known for being a ruthless money lender.
