In July 2014, the Microsoft Digital Crimes Unit, working with the Microsoft Malware Protection Centre, engaged industry partners to sinkhole and disrupt the Caphaw (Shylock) banking malware botnet. Caphaw targeted several high-profile European banks and used social engineering tactics on Facebook, Skype and YouTube to infect machines with information-stealing components.

This presentation covers the inner workings of the malware and its arsenal of tools. We’ll describe the injection techniques that would allow it to persist on the machine once installed and the encryption and botnet communications it employed. These have become typical of modern botnet malware. We’ll also study Caphaw’s configuration file and the web injection scripts it used to steal sensitive financial information from its victims. We’ll explore the characteristics of its modular architecture which allowed it to quickly make changes to its modus operandi.

The presentation will also review what happened leading up to and during the takedown, and demonstrate why that family of malware was a good candidate for a takedown based on the technical aspects of the malware. It will present telemetry about Caphaw, including its geographic distribution and most likely targets to demonstrate the importance of telemetry. Last, we’ll describe the overall takedown process from start to finish, and explain how the various partners came together to achieve this outcome.