{
	"id": "b6bdc781-19cf-42cc-a4f3-e7900b4151c9",
	"created_at": "2026-04-06T00:06:37.760228Z",
	"updated_at": "2026-04-10T03:20:55.232842Z",
	"deleted_at": null,
	"sha1_hash": "f3ba6d5ff4f656e6bd1c6a617274003dedf824aa",
	"title": "New Version of Shylock Malware Spreading Through Skype",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44889,
	"plain_text": "New Version of Shylock Malware Spreading Through Skype\r\nBy Dennis Fisher\r\nPublished: 2013-01-17 · Archived: 2026-04-05 20:39:59 UTC\r\nThere is a new version of the Shylock malware that is now capable of spreading through Skype. The new version\r\nis spreading mainly in the U.K., Europe and the U.S. and is playing off the fact that Microsoft is about to kill its\r\nMessenger application in favor of Skype.\r\nThere is a new version of the Shylock malware that is now capable of spreading through Skype. The new version\r\nis spreading mainly in the U.K., Europe and the U.S. and is playing off the fact that Microsoft is about to kill its\r\nMessenger application in favor of Skype.\r\nThe new version of Shylock has a number of new capabilities, but its goal is the same: stealing sensitive financial\r\ndata from infected machines. Shylock has been known publicly for more than a year and researchers have watched\r\nit morph and adapt its tactics in the last few months. The malware, like other Trojan bankers of its ilk, is designed\r\nspecifically to steal credentials for online banking sites, and also has the ability to perform code-injection attacks.\r\nOne recent change in the Shylock malware’s capabilities was the addition of a feature that can detect whether the\r\nmalware is being installed on a remote machine via the RDP protocol. That method is one that malware analysts\r\nand researchers use to analyze the behavior of malware.\r\nThe newest addition to Shylock’s arsenal is its ability to spread via Skype instant messages. An analysis by\r\nresearchers at CSIS in Denmark shows that the newest version of the malware includes a plugin named\r\n“msg.gsm” that uses the chat function in Skype in order to spread to new machines. The malware relies on a\r\nnetwork of infected Web sites to perform drive-by download attacks as the initial infection vector, and once it is\r\nresident on a new machine and finds the Skype application, it then sends malicious links to the victim’s contacts\r\nthrough the chat function.\r\n“The Skype replication is implemented with a plugin called “msg.gsm“. This plugin allows the code to spread\r\nthrough Skype and adds the following functionality:\r\n– Sending messages and transferring files\r\n– Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )\r\n– Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)\r\n– Sends request to server: https://a[removed]s.su/tool/skype.php?action=…,” according to the CSIS analysis.\r\nThe newest Shylock malware also includes some other extra features, such as the ability to spread via network\r\nshares and USB drives. The attacker behind the malware has the ability to perform a number of functions once\r\nhe’s on the infected machine, including stealing cookies, injecting malicious code into Web sites and downloading\r\nand executing files.\r\nThis is by no means the first piece of Skype malware that has emerged in recent years. Other samples have had the\r\nability to spread via USB drives, as well.\r\nhttps://threatpost.com/new-version-shylock-malware-spreading-through-skype-011713/77416/\r\nPage 1 of 2\n\nSource: https://threatpost.com/new-version-shylock-malware-spreading-through-skype-011713/77416/\r\nhttps://threatpost.com/new-version-shylock-malware-spreading-through-skype-011713/77416/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/new-version-shylock-malware-spreading-through-skype-011713/77416/"
	],
	"report_names": [
		"77416"
	],
	"threat_actors": [],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3ba6d5ff4f656e6bd1c6a617274003dedf824aa.pdf",
		"text": "https://archive.orkl.eu/f3ba6d5ff4f656e6bd1c6a617274003dedf824aa.txt",
		"img": "https://archive.orkl.eu/f3ba6d5ff4f656e6bd1c6a617274003dedf824aa.jpg"
	}
}