{
	"id": "5b5479f7-e83c-492a-b052-b959f3e54b52",
	"created_at": "2026-04-06T00:12:07.800814Z",
	"updated_at": "2026-04-10T13:12:14.070704Z",
	"deleted_at": null,
	"sha1_hash": "adf4a82050cc1e9d2172dba6be13484e03abf56c",
	"title": "Caphaw attacking major European banks using webinject plugin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 640541,
	"plain_text": "Caphaw attacking major European banks using webinject plugin\r\nBy Aleksandr Matrosov\r\nArchived: 2026-04-05 13:04:51 UTC\r\nMalware\r\nAnalysis of malicious code dubbed Win32/Caphaw (a.k.a. Shylock) attacking major European banks, with ability\r\nto automatically steal money when the user is actively accessing his banking account.\r\n25 Feb 2013  •  , 6 min. read\r\nMalicious code dubbed Win32/Caphaw (also known as Shylock) has been attacking major European banks for\r\nmore than a year (it started to spread in the fall of 2011). Caphaw caught my attention at the beginning of 2013\r\nand I started tracking this threat closely. In this blog post I’ve collected the more interesting observations made\r\nover this time period, including the fact that this is one of the few pieces of malware that can automatically steal\r\nmoney when the user is actively accessing his banking account. (Earlier I published detailed analysis regarding\r\nattacks on Russian banks and cybercrime group activity in the Russian region:Carberp, Ranbyus, Hodprot, and\r\nothers.)\r\nThe most common regions for detecting Caphaw are the United Kingdom, Italy, Denmark and Turkey. According\r\nto ESET detection statistics, the period when it was most actively spreading was during the last months of 2012.\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 1 of 10\n\nESET Virus Radar statistics show the regions most affected by Caphaw infection during the last week.\r\nThe Bot\r\nWin32/Caphaw has functionality typical of banking malware and in this part of the blog I describe only its more\r\ninteresting traits. This threat has many techniques for bypassing security software and evading automated malware\r\nsamples processing. Caphaw injects its body into all running processes and has multithreading event based\r\narchitecture for the execution of C\u0026C tasks. Injected malicious code can use inter-process communication (IPC)\r\nmechanisms via a named pipe.\r\nCaphaw sets many hooks for system functions and one of the most interesting intercepted functions is\r\nInitiateSystemShutdownEx(). This hook makes it possible to control the reboot/shutdown process and makes it\r\npossible for the malware to restore itself after some antivirus cleaning procedures have been carried out.\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 2 of 10\n\nAll string constants in the Caphaw body are encrypted by a simple custom algorithm:\r\nCaphaw provides indirect checks for execution under popular virtual machine environments (VMware, VirtualBox\r\nand VirtualPC). Caphaw detects virtual machines based on names of active processes and drivers. All those names\r\nare stored in the custom hash values by following algorithm:\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 3 of 10\n\nThis is what some example code for VMware detection looks like:\r\nThese tricks make it possible for Capshaw to bypass automated sandbox analysis. And every few hours dropper\r\nfiles on the C\u0026C server are repacked by a custom polymorphic cryptor service in order to bypass static detection\r\nby antivirus signature. Drive-by URLs with repacked droppers look like this list:\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 4 of 10\n\nThe URLs have the following format:\r\nhttps://[random subdomain].[domain]/[DIR]/[DIR-random string]/[dropper file]?r=[random number]\r\nAt first glance this may look as if random numbers in URL are created by a special generation algorithm. But this\r\nis not the case, and it's possible for the malware to use any random numbers. In Caphaw's body the random\r\nnumber generation algorithm looks like this:\r\nThe URLs for requesting additional modules, webinjects, configuration files and transfer of data to the C\u0026C are in\r\nthe following format:\r\nHere's an illustration of how a bot configuration file request from C\u0026C is built according to a special pattern:\r\nhttp://[URL format]/[key]\u0026id=[bot id]\u0026inst=[master or slave]\u0026net[botnet id] \u0026cmd=cfg\r\nA response from the C\u0026C side looks like this:\r\nSuch responses have the following structure:\r\nhttp:// [random subdomain].[domain]/[DIR]/[file_name.jpg]?r=[random number]\r\nThe bot configuration file is encrypted by an RC4 stream cypher. The encryption scheme has following structure:\r\nBase64(RC4(cfg_data)). After decryption the configuration file has XML code like this:\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 5 of 10\n\nInside configuration file we find the name of the botnet, C\u0026C addresses and request format for downloadable\r\nplugins.\r\nPlugins\r\nWin32/Caphaw has functionality for downloading and executing additional plugins. All the downloaded plugins\r\nfor the whole period where we've been tracking this botnet are described in the following table:\r\nplugin name detection name Description\r\nBackSocks Win32/Caphaw.N back-connect proxy based on SOCKS5\r\nftpgrabber Win32/Caphaw.N\r\ncollecting FTP passwords and search\r\ninformation in MS Outlook email’s format\r\n(.pst files)\r\nVNC Win32/Caphaw.N\r\nstandard VNC functionality like plugin from\r\nZeus\r\nDiskSpread Win32/AutoRun.Caphaw.A\r\nworm functionality that spreads via shared\r\nfolders and removable media\r\nMessengerSpread Win32/Caphaw.M\r\nworm functionality that spreads via Skype\r\nmessages\r\nRootkit\r\nWin32/Wolcape.A\r\n(driver)Win32/Wolcape.B (dropper)\r\nMBR bootkit component replacing user-mode\r\ntrojan by request\r\nVideoGrabber Win32/Caphaw\r\nembedded plugin in main bot body for\r\nrecording stream video and send to C\u0026C in\r\nrar archive\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 6 of 10\n\nA plugin that distributes Win32/Caphaw through Skype for the first time was tracked in January 2013 by Yurii\r\nKhvyl and Peter Kruse from CSIS (Shylock calling Skype). The next interesting plugin is an MBR-bootkit module\r\n(detected by ESET as  Win32/Wolcape.A) which is downloaded to infected machines by special request from\r\nC\u0026C. This bootkit is based on MBR modification and provides manual loading for an unsigned driver. The\r\nmalicious int13 handler (this interrupt reads sectors from the hard drive) in the infected MBR looks like this:\r\nThe malicious driver is stored in the NTFS file system in the following directory:\r\nThe driver module is encrypted by RC4 cipher with a key length 256 bytes, but originally the entropy of the key is\r\n4 bytes due to expansion of 4-byte constant “KuKu” (this constant fills the range with 256 bytes). Here's the call\r\ngraph for the routine that loads the malicious driver :\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 7 of 10\n\nThe malicious driver hooks typical system functions for hiding files and processes. The most interesting hooks are\r\nimplemented to intercept \\\\Driver\\nsiproxy and \\\\Device\\Tcp objects in order to monitor/modify network traffic on\r\nan infected machine. The bootkit module configuration file has the same encryption scheme as user-mode\r\nWin32/Caphaw. The decrypted configuration file has the same XML structure as Win32/Caphaw, as presented\r\nhere:\r\nWebinjects and money stealing scheme\r\nDownloaded webinjects take the same form as configuration data, but the encryption algorithm is different. This\r\nfirst compresses with zlib in deflate mode and subsequently encrypts with the same algorithm with string\r\nencryption. Decrypted webinjects look like this:\r\nHere is a list of attacked banks from the latest configuration files with webinjects:\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 8 of 10\n\nregion attacked banks\r\nUnited Kingdom\r\nhsbc.co.uk\r\nbarclays.co.uk\r\nsantander.co.uk\r\nbankofscotland.co.uk\r\nfirstdirect.co.uk\r\nnatwest.co.uk\r\nrbs.co.uk\r\nItaly\r\nposte.it\r\nunicredit.it\r\ncedacri.it\r\nfineco.it\r\nOne of the interesting details in the code injected into a bank's web page is the substitution of all phone numbers\r\nwith fake numbers owned by the attacker (Merchant of Malice: Trojan.Shylock Injects Phone Numbers into\r\nOnline Banking Websites). This substitution is based on a special configuration of webinjects and has a unique\r\nstructure for the web page of each bank attacked.\r\nWin32/Caphaw is an interesting financial malware family: one of the few that has autoload functionality for\r\nautomatically stealing money when the user is actively accessing his banking account. An infected user can’t\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 9 of 10\n\nrecognize that his money is being stolen, because he sees fake data on the banking web page based on the\r\nwebinjects' rules. (Autoloads bypass one-time password security checks.) The same functionality was tracked in\r\nthe Carberp (Carberp Gang Evolution), Gataka (Win32/Gataka banking Trojan – Detailed analysis),\r\nWin32/Spy.Ranbyus (Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems) and Tinba malware\r\nfamilies. Just for the record, ESET antimalware does detect all of these threats.\r\nSpecial thanks to my colleagues Anton Cherepanov and Yurii Khvyl (CSIS)\r\nAleksandr Matrosov, Security Intelligence Team Lead\r\nSHA1 hashes for analyzed samples:\r\nWin32/Wolcape.A (driver) 766da148d74f7ea9aca692246a945bd70da6cf18\r\nWin32/Wolcape.B (bootkit dropper) f8da98763e345f42c62db02e51bf5d80342cd4d2\r\nWin32/Caphaw.N (VNC) b408c56af46237d04e23f77b40c0c6367f3adee7\r\nWin32/Caphaw.N (ftpgrabber) 1cc0ce07950f5b8589344977f15e2409a819efb9\r\nWin32/Caphaw.N (BackSocks) 43a6ff8c6e17e188e4650316d0627ebb110073d5\r\nWin32/Caphaw.M (MessengerSpread) aef115814e5b6af49187d07f3068130c5c910d84\r\nWin32/AutoRun.Caphaw.A (DiskSpread) 5da3dc57836c351d80653fb09a78a8a8dad87317\r\nSource: https://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nhttps://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/"
	],
	"report_names": [
		"caphaw-attacking-major-european-banks-with-webinject-plugin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434327,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/adf4a82050cc1e9d2172dba6be13484e03abf56c.pdf",
		"text": "https://archive.orkl.eu/adf4a82050cc1e9d2172dba6be13484e03abf56c.txt",
		"img": "https://archive.orkl.eu/adf4a82050cc1e9d2172dba6be13484e03abf56c.jpg"
	}
}