New version of Shylock malware is now capable of spreading through Skype. The malware is spreading mainly in the U.K., Europe and the U.S. and is playing off the fact that Microsoft is about to kill its Messenger application in favor of Skype.
The Skype replication is implemented with a plugin called "msg.gsm". This plugin allows the code to spread through Skype and adds the following functionality:
- Sending messages and transferring files
- Clean messages and transfers from Skype history
- Bypass Skype warning/restriction for connecting to Skype
None of the popular antivirus is capable of detecting this malware till date. Check the report of msg.gsm on VirusTotal.
The malware is designed specifically to steal credentials for online banking sites, and also has the ability to perform code-injection attacks.
Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:
- Execute files
- Get cookies
- Inject HTTP into a website
- Setup VNC
- Spread through removable drives
- Update C&C server list
- Upload files
Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.
The spread of the malware: