Shylock

Category: banking_trojan · Aliases: None known · Sample count (EMBER 2018): 21 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

TrojanDownloader:Win32/Shylock is an incredibly sophisticated, highly targeted banking trojan, notorious for its advanced 'Man-in-the-Browser' (MitB) capabilities and its innovative use of Domain Generation Algorithms (DGAs) combined with Skype for command and control resilience.

Understanding Shylock
To the victim, Shylock is entirely invisible until their bank account is drained. For a security analyst, Shylock (named after the Shakespearean character, due to its early code containing references to 'The Merchant of Venice') is a tier-one financial threat. It does not simply steal passwords; it actively modifies the victim's online banking session in real-time. It intercepts 2FA codes, alters transaction amounts dynamically, and hides the fraudulent transfers from the user's statement view.

Execution, Web Injects, and Mitigation Evasion
Shylock is typically distributed via drive-by downloads (`T1189`). Upon execution, it establishes persistence and immediately injects its core DLLs into `explorer.exe` (`T1055.001`). From there, it hooks the APIs of all running web browsers (Chrome, Firefox, IE) (`T1185`). When the user navigates to a targeted banking portal, Shylock's C2 server downloads a specific 'web inject' configuration. This allows Shylock to inject malicious HTML/JavaScript directly into the legitimate banking page (`T1111`), creating fake login forms or 2FA prompts that steal data directly from the DOM before it is encrypted by SSL/TLS.

Indicators of Compromise & Impact
The impact is massive financial fraud that bypasses standard 2FA mechanisms. Network logs will reveal anomalous DGA-based DNS requests (`T1568.002`). EDR platforms must alert on the injection of DLLs into `explorer.exe` or browser processes. A highly specific IoC for Shylock is the creation of a hidden partition or the abuse of Alternate Data Streams (ADS) to store its encrypted Virtual File System (VFS) to evade forensic detection.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1185Man-in-the-BrowserCollection
T1111Two-Factor Authentication InterceptionCredential Access
T1568.002Dynamic Resolution: Domain Generation AlgorithmsCommand and Control
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1564.004Hide Artifacts: NTFS File AttributesDefense Evasion

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_SHYLOCK {
    meta:
        description = "Detects Shylock (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "shylock" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Shylock Activity
id: e088c8fa68dfc3bc98f9e9a06f2c3b14
status: experimental
description: Detects generic indicators of the shylock malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*shylock*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Instantly isolate the endpoint; the attacker has active, real-time control over the user's web browser sessions.
  2. Initiate a mandatory password reset for all financial and corporate accounts accessed from the infected machine, utilizing a known-clean device.
  3. Capture a forensic memory image (RAM dump) to extract the decrypted web inject configurations and identify which specific banking portals were targeted.
  4. Assume total endpoint compromise; perform a clean OS rebuild and force the revocation of any session tokens or cookies stored on the machine.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not allow the user to log into any sensitive portal to 'check their balance'; the MitB trojan will intercept the login and modify the displayed balance.
  2. Avoid relying solely on basic antivirus scans, as Shylock stores its payload in encrypted Alternate Data Streams (ADS) that evade standard file-level scanning.

References & External Analysis

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/shylock.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.