Shifu is the name of a new banking trojan that has been around since at least April targeting Japanese banks and a number of European e-banking platforms.
“Shifu currently targets 14 Japanese banks and select electronic banking platforms used across Europe; however, at this time, only Japan is seeing active attacks.” states a blog post published by IBM.
The Shifu banking trojan was designed to circumvent e-banking users by stealing their credentials and digital certificates, it is also able to scrape banking app authentication tokens, and exfiltrate data from smart cards connected to the infected machine.
The Shifu banking Trojan also targets digital signature credentials issued to business users by certification authorities, the malware authors harvest them to impersonate victims and sign documents and sign documents for them. The digital signature is very popular in Italy, where IBM observed a significant activity of the malware.
Shifu is a sophisticated malware that was already used to target customers of 14 Japanese financial organizations. It borrows features from several well-known banking trojan including the popular Zeus VM and Dridex
Shifu uses a domain generation algorithm for its control infrastructure, the DGA it implements is quite similar the one used by the Shiz Trojan, meanwhile it implements evasion techniques borrowed from Zeus, Gozi and Dridex. Another similarity with other malware is the Shifu’s ability to Wipe System Restore point on the infected machines like the Conficker worm (2009).
Shifu uses self-signed certificates to protect traffic to/from C&C servers from which retrieve configuration files.
The Shifu banking Trojan also implements other interesting features, it sets up a local Apache server that is later used to decipher obfuscated requests sent when fetching web injects from the remote server and it prevents other malware from infecting the victim machine by monitoring incoming traffic and files.
Another interesting feature found in Shifu is designed to keep other malware out. It prevents other threats from infecting the victim device by monitoring incoming files for ones that might carry malware, such as executables, unsigned files, and elements coming from HTTP connections.
The initial Shifu package implements the following features as explained by the experts at IBM:
According to IBM, there is another feature that makes the Shifu banking trojan very attractive for the criminal ecosystem, a RAM-scraping plugin used by the malware to scrape the RAM of point-of-sale (PoS) systems.
Despite it is very difficult to attribute the malware to a specific criminal crew, evidence collected by the experts at IBM analyzing the source code suggests that the authors of the Shifu banking trojan are Russian speakers.
IBM Security X-Force will release a detailed report on Shifu in the coming week.
(Security Affairs – Shifu, Japan)