14 Japanese banks under attack by Shifu banking trojan

Sep 1, 2015 08:19 GMT  ·  By

The defenses of Japanese banks and financial institutions are being put under a serious test these days by a new banking trojan created from a mix of previously detected malware.

According to the IBM Security X-Force staff, the first signs of this new banking trojan appeared in April this year and was discovered by IBM Red Cell, a security task force working specifically within the financial sector.

This new trojan was codenamed Shifu, the Japanese word for thief.

Since its first sighting, Shifu has been seen targeting banks and financial institutes in Japan, Austria, Germany, and other European countries. Currently, IBM is detecting a Shifu campaign against 14 Japanese banks.

Shifu, the Frankenstein of banking trojans

What makes Shifu highly dangerous right now is that it's not your classical banking trojan. As the IBM team puts it, Shifu has been created by savvy developers that relied "on a few tried-and-true Trojan mechanisms from other infamous crimeware codes."

As you can view in the table below, Shifu uses small bits and pieces from other banking trojans utilized in the past, their source code making it online at one point or another.  

What it stole from other malware strands From who
Domain Generation Algorithm (DGA) to hide communications with its botnet Shiz
Theft of passwords, authentication token files, user certificate keys and sensitive data from Java applets Corcow, Shiz
Anti-research techniques to hide itself from security analysis tools Zeus
Stealthy command execution scheme to hide itself in the Windows file system Gozi/ISFB Trojan
Configuration file written in XML format Dridex
Wipes the local System Restore point on infected machines Conficker
Communicates via a secure connection that uses a self-signed certificate Dyre

By mixing and matching the good parts of all the aforementioned banking trojans, Shifu's creators assembled a sophisticated piece of malware that is hard to detect, and even worse, has a broader choice of targets.

And if things weren't bad enough, following the trail set by almost all the recently discovered malware and ransomware strands, Shifu also uses a modular architecture that communicates with a C&C (command-and-control) server to fetch real-time instructions and load modules based on the infected target's features.  

Default Shifu modules
Anti-research tool
Anti-VM tool
Anti-sandbox tool
Remote-access tool (RAT)
Browser hooking system
Webinject parser
Screenshot grabber
Certificate grabber
Keylogger
Bot-control module
Endpoint classification
Module for monitoring applications of interest

Shifu targets a very broad spectrum of financial platforms

As IBM is reporting, the Shifu banking trojan was detected stealing information from a diverse range of devices and platforms.

Shifu can steal credentials from HTTP form data, it can scrape authentication tokens from banking applications, it can find and steal private certificates, and can even detect smartcard readers attached to a PC and exfiltrate data from them.

Cryptocurrency wallets aren't safe either, Shifu coming with updated support for the latest trends in online funds transactions.

In case Shifu detects it has landed on a POS (Point of Sale) platform, it then deploys a memory-scraping module to collect data specific to those systems.

Shifu comes with its own anti-malware system

Probably the most ironic detail in its innovative design is that Shifu is one of the few malware strings that comes with its own antivirus.

Yes, you've read that right. Shifu, once it has infected a victim's machine, it will install a special module that keeps other banking trojans at bay.

If this module sees suspicious malware-looking content (unsigned executables) from insecure HTTP connections, it tries to stop them. If it fails, it renames them to "infected.exx" and sends them to its C&C server. If the file is designed to autorun, Shifu will spoof an operating system "Out of memory" message.

By doing this, Shifu's owners maximize their profits from each infected victim, by not allowing other cyber-criminals to benefit from weak-protected banking endpoints.

As for its source, several clues in the trojan's code indicate that its authors may be of Russian origin, but the IBM Security X-Force also claims that these could have been left inside the source from the parts it recycled from other malware, or left intentionally to throw security researchers off their trail, since Russia is a common source of cyber-crime.

Shifu's main targets
Shifu's main targets

Photo Gallery (2 Images)

Japanese banking institutions attacked by new banking trojan
Shifu's main targets
Open gallery