Shylock refers to a family of malware that relies on browser-based man-in-the-middle (MITM) attacks and fake digital certificates to intercept network traffic and inject code into banking websites. The Shylock malware was first discovered in February 2011 and derives its name from references in the code to Shakespeare’s The Merchant of Venice.
The Shylock malware code is designed to trick customers into providing banking login and account details to hackers instead of to the bank’s customer service department. Some Shylock strains even have the ability to open a fake customer service chat window on an infected computer to enable cybercriminals to prompt the user for their sensitive account information.
Newer strains of the Shylock malware have added the ability to detect whether the malware is running in a virtual machine (VM) that’s being analyzed by malware researchers. The Shylock malware does this to help make analysis more difficult and avoid detection by security researchers.
Virtual machines are frequently employed by security teams to test programs in simulated environments to more easily detect malicious behavior. When the Shylock malware detects it is being run in a virtual environment, the code will shut down the program.