A few weeks ago researchers at Security Intelligence announced the discovery of the sophisticated banking Trojan Shifu, the malicious code has been used to target the customers of more than a dozen Japanese banks. Shifu is considered by the experts an advanced threat, it is suspected to have been developed by Russian-speaking authors that borrowed features from several well-known banking trojan including the popular Zeus VM and Dridex.
The Shifu banking trojan was designed to circumvent e-banking users by stealing their credentials and digital certificates, it is also able to scrape banking app authentication tokens, and exfiltrate data from smart cards connected to the infected machine.
The Shifu banking Trojan also targets digital signature credentials issued to business users by certification authorities, the malware authors harvest them to impersonate victims and sign documents and sign documents for them.
The expert predicted a rapid diffusion of Shifu and unfortunately, they were right, Shifu has spread from Japan and begun actively attacking UK banks and wealth management firms.
“X-Force researchers confirmed that Shifu is actively attacking online banking customers in order to perform fraudulent transactions. The Shifu Trojan may be new crimeware, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true Trojan mechanisms from other infamous crimeware codes. It appears that Shifu’s internal makeup is being composed by savvy developers who are intimately familiar with other types of banking malware.” states the post published by Security Intelligence.
The authors of the malware have introduced specific features to target users in the UK, the sample detected by the experts in the country no longer injects malicious code into the explorer.exe process, rather launch a new svchost instance and performs all actions from that process.
Shifu began spreading to UK targets in mid-September 2015, initially only a few machines were infected by the banking trojan, but by Sept. 22 hundreds of endpoints were compromised per day.
“Although one relatively modest campaign has already taken place, IBM X-Force researchers believe more widespread infection sprees are yet to come in the U.K. This is likely to be followed with future propagation into other parts of Europe and the U.S.”
The threat actor behind the Shifu campaign is using a variant of the Angler EK which is offered for sale in the underground since 2013.
The researchers observed that the infection process relies on compromised websites hosting the popular Angler exploit kit meanwhile the attack vector are spam emails.
“Although Angler is used by many cybercriminals, they all rely on its ability to evade security mechanisms and its multistep attack technique. To keep automated security off its tracks, Angler attacks are based on a redirection scheme that begins with a clean page or advertising banner and eventually lands on an Angler-poisoned page. The victim’s endpoint is then scanned for the corresponding vulnerabilities, followed by exploitation and the eventual payload drop.” states Security Intelligence.
(Security Affairs – Shifu, banking Trojan)