Skip to content ↓ | Skip to navigation ↓

Attackers are targeting dozens of financial institutions with Caphaw malware, also known as Shylock, putting customers at risk of losing assets by way of compromised account credentials.

Though the malware has been in the wild since at least 2011, infection rates have risen significantly in recent months as the malicious agent has employed a Domain Generation Algorithm (DGA) to direct command and control messaging through multiple IPs with self-signed SSL certificates, according to reports.

“The Caphaw Trojan is a financial malware attack that functions similarly to the Carberp, Ranbyus, and Tinba threats according to analysis done by WeLiveSecurity Researcher, Alekandr Matrosov. These attacks are carried out utilizing stealth tactics both on and off the wire,” wrote Zscaler’s Sachin Deodhar and Chris Mannon.

“Caphaw avoids local detection by injecting itself into legitimate processes such as explorer.exe or iexplore.exe, while simultaneously obfuscating its phone home traffic through the use of Domain Generated Algorithm created addresses using Self Signed SSL certificates. This limits the ability of traditional network monitoring solution to dissect the packets on the wire for any malicious transactions.”

Caphaw is mostly targeting European institutions, with the highest infection rates found in UK, Italy, Denmark and Turkey, is known to be preying on systems with vulnerable versions of Java, and is extremely stealthy.

“The variation in the dropped executable is different across every instance, so its no wonder standard AV is having a problem keeping up (1/46 at time of research). This AV performance also indicates that the likelihood of someone proactively catching this infection inside their network is fairly low at the time of this writing,” the researchers noted.

Read More Here…