NCA partners with FBI, Europol to disrupt Shylock Trojan

The UK's National Crime Agency has been working with the FBI and Europol to disrupt the infrastructure behind Shylock Trojan, malware which siphons money from European bank accounts.

Operation Tovar targets major Zeus/Cryptolocker botnet-driven campaign
Operation Tovar targets major Zeus/Cryptolocker botnet-driven campaign

The action is said to be the first of its kind for UK law enforcement agency, with the NCA joining forces with those in the public and private sectors to seize control of the command and control (C&C) servers for the Trojan, as well as the domains which the malware uses to communicate between infected machines.

Partners in the take-down included the FBI, Europol, GCHQ and the German Federal Police as well as security solution and service providers such as BAE Systems, Dell SecureWorks and Kaspersky Lab.

The operation was conducted at Europol's European Cybercrime Centre at The Hague in Netherlands, and saw investigators from the NCA, the FBI and from law enforcement agencies in Netherlands, Turkey and Italy work together to coordinate the action in their respective countries. Law enforcement agencies from Germany, Poland and France also took part in the mission, albeit by operating from within their own countries.

Shylock – so-called because its code contains excerpts from the ‘Merchant of Venice' play written by British playwright William Shakespeare – is believed to have infected at least 30,000 PCs running the Microsoft Windows operation system worldwide, and targeted UK users in particular.

Victims were typically infected after clicking on a malicious phishing link which would get them to unwittingly download the malware. Having done this, Shylock would then seek out funds held in business or personal banking accounts, before transferring these out to the malware creators.

Users have been advised to update their operating system – automatically or manually – to remedy the problem.

The NCA has coordinated the international action to take-down this form of malware, which it suspected was made by developers based outside of the UK.

Andy Archibald, deputy director of the National Crime Agency's National Cyber Crime Unit (NCCU), said that the purpose of the exercise was to have a ‘significant effect' on the infrastructure behind the malware.

“The NCA is coordinating an international response to a cyber-crime threat to businesses and individuals around the world,” he said in a statement. “This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cyber-crime impacting the UK.

“We continue to urge everybody to ensure their operating systems and security software are up to date.”

This news comes just a week after Archibald said that law enforcement needed to strike more partnerships with the private sector to help bring cyber-criminals to justice.

Troels Oerting, head of the European Cybercrime Centre (EC3), further added: “The European Cybercrime Centre is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure. EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communications, as well as cyber analysts and cyber experts.

“In this way we have been able to support frontline cyber investigators, coordinated by the UK's NCA, and working with the physical presence of the United States' FBI and colleagues from Italy, Turkey and the Netherlands, with virtual links to cyber units in Germany, France and Poland."

Reacting to the news, Raj Samani, EMEA and CTO of McAfee – which is now part of Intel Security, pointed to this example and the recent takedown of Gameover Zeus as a sign that international cyber-crime collaboration continues to improve.

“Much like the news around GameOver Zeus, this latest announcement demonstrates the importance of collaboration between the public and private sector in tackling the latest cyber threats,” he told SC via email.

“Shylock in particular has been successful in the theft of information necessary for banking fraud.  Whilst the communications infrastructure has been taken down by law enforcement, internet users should have appropriate security software that is regularly updated to ensure they are not infected with future threats”.

Independent security consultant – and former Met Police Computer Crime Unit detective – Adrian Culley agreed and said that Shylock had become a big concern to the major European banks.

“The highly targeted Shylock advanced threat has been a significant issue for European financial institutions and banks for some time now,” he told SCMagazineUK.com. “It's very encouraging to see multi-agency efforts being taken on an international basis to address this. These are very real issues confronting many UK institutions.

“The Shylock attack had a not-insignificant amount of social engineering associated with it. Only time will tell to what degree this executive action has disrupted and/or dismantled the operation.”

Updated: Rob Miller, senior security consultant at MWR Infosecurity, praised the take-down but has questioned how effective they are in the long run.

"This takedown is a clear sign of just how seriously the National Crime Agency is taking this threat. As Shylock uses both watering hole attacks and direct compromise of websites, taking down command and control servers is a difficult but effective method to defend against it.

"Ultimately though it will remain to be seen how effective the take-downs are in stopping such a widespread and constantly evolving threat. It will likely need further coordination between financial institutions and law enforcement to make sure everyone understands its methods and can stay ahead of the game."