A new development observed in the sophisticated financial banking Trojan.Shylock highlights the ongoing evolution of this threat. Shylock, a threat first observed by Trusteer in September 2011, was named after a character in the Shakespeare play the ‘Merchant of Venice’ due to quotes from the play being found in the original binary code. Symantec has now observed a new generation of this threat in the wild. This new generation of Shylock is using a social engineering trick for propagation along with a polymorphic packer that changes every time the threat is downloaded in an effort to evade detection. These updates to Shylock are reported to be causing numerous problems relating to hidden files for Internet forum users.
The reported attacks all begin with a Java vulnerability. We have seen exploitation of two specific Java vulnerabilities:
- Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability (CVE-2011-3544) Patched by Oracle in October 2011.
- Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507): Patched by Oracle in February 2012.
The malicious .jar files used in this attack are detected by our IPS signature: Web Attack: Malicious Jar Download 10. Once exploited, a “loader” executable containing a random prefix, followed by a static string of y7f76.exe, is downloaded. This file then connects to a command-and-control (C&C) server in order to retrieve a “Hijacker” executable file with a name similar to 2Atmp.exe. Both file types were initially detected by Symantec as Trojan.Shylock!gen7 and have since been remapped to Trojan.Shylock.B and Trojan.Shylock.B!gen1.
The “Hijacker” is the main component that collects information about the compromised computer and sends it to the C&C server. It injects itself into the svchost.exe process and receives commands from the C&C server. The threat can perform the following commands on a compromised computer:
- Execute files
- Get cookies
- Inject HTTP into a website
- Setup VNC
- Spread on removable drives
- Uninstall itself
- Update C&C server list
- Upload files
In order to carry out some of the above commands, the “Hijacker” file must download additional components. The following diagram shows the previously described threat actions, from infecting the computer through a Java exploit to downloading additional components:
Figure 1. Anatomy of “LNK” awakening
One of the more unusual components we have seen downloaded by the “Loader” file is: “DiskSpread”. This component is responsible for spreading the threat through removable drives and network shares. Previously, we had blogged about a targeted attack campaign that was using social engineering to trick users into executing what were believed to be image files of Tibetan protestors. In actuality, the files were shortcut files (known by their extension, .lnk) that would call upon the original image file, whilst also executing a malicious file named thumbs.dbh. This new Shylock campaign seems to be using a similar method for spreading within compromised environments.
It spreads by replacing different types of document files, located in removable drives and network shares, with links to malicious executable files. The “DiskSpread” component identifies removable drives and network shares and searches for the following file types:
- .acc[RANDOM CHARACTER]
- .ad[RANDOM CHARACTER]
- .bat
- .com
- .doc
- .docx
- .exe
- .lnk
- .ma[RANDOM CHARACTER]
- .md[RANDOM CHARACTER]
- .one
- .pps
- .ppsx
- .ppt
- .pptx
- .vdx
- .vsd
- .vss
- .vst
- .vsx
- .vtx
- .xls
- .xlsx
Once a targeted file type is found by Shylock, the following process takes place:
- The original file is renamed to “Copy of [ORIGINAL FILE NAME].[EXTENSION]” and the attributes are changed to “Hidden” and “System”. This results in the file being hidden from the user.
- The threat creates a hidden copy of the “Loader” component in the same folder and names it thumbs.dbh.
- An “[ORIGINAL FILE NAME].lnk” file is created to serve as a replacement for the original document, and as bait for users to click on it. The .lnk files, as seen in the example image below, contain commands to execute the hidden thumbs.dbh file and to open the original document that was hidden from the user. This way, the user can only open the hidden file by executing the malicious .lnk file. New computers become compromised as the threat spreads through removable drives or as network shares are accessed.
Figure 2. Shylock .lnk files
While this may be a nasty trick used by Shylock for spreading, it is easily remedied. As the original files are only hidden, and the documents are not infected or deleted, they can be recovered simply by changing file attributes using a Windows command such as:
Attrib –h –s [drive:] [path] *.*
The evolution of Shylock shows that the malware authors are continuing their development of this threat, and are willing to try out creative social engineering tricks in their campaigns. We do not expect this to be the last time we see new iterations of this threat in the wild and are continuing to monitor the threat landscape.
As always, we recommend that you follow best security practices and ensure that you have the most up-to-date software patches in place, and that you use the latest Symantec technologies and virus definitions to ensure you have the best protection against threats.