Shifu, a dangerous Banking Trojan is Attacking Japanese Banks

The Shifu Banking Trojan is a new sophisticated malware that has been used to target the customers of more than a dozen Japanese banks.

Shifu is the name of a new banking trojan that has been around since at least April targeting Japanese banks and a number of European e-banking platforms.

“Shifu currently targets 14 Japanese banks and select electronic banking platforms used across Europe; however, at this time, only Japan is seeing active attacks.” states a blog post published by IBM.

The Shifu banking trojan was designed to circumvent e-banking users by stealing their credentials and digital certificates, it is also able to scrape banking app authentication tokens, and exfiltrate data from smart cards connected to the infected machine.

The Shifu banking Trojan also targets digital signature credentials issued to business users by certification authorities, the malware authors harvest them to impersonate victims and sign documents and sign documents for them. The digital signature is very popular in Italy, where IBM observed a significant activity of the malware.

Shifu is a sophisticated malware that was already used to target customers of 14 Japanese financial organizations. It borrows features from several well-known banking trojan including the popular Zeus VM and Dridex

Shifu uses a domain generation algorithm for its control infrastructure, the DGA it implements is quite similar the one used by the Shiz Trojan, meanwhile it implements evasion techniques borrowed from Zeus, Gozi and Dridex. Another similarity with other malware is the Shifu’s ability to Wipe System Restore point on the infected machines like the Conficker worm (2009).

Shifu uses self-signed certificates to protect traffic to/from C&C servers from which retrieve configuration files.

The Shifu banking Trojan also implements other interesting features, it sets up a local Apache server that is later used to decipher obfuscated requests sent when fetching web injects from the remote server and it prevents other malware from infecting the victim machine by monitoring incoming traffic and files.

“Shifu’s injections are selective and change according to the targeted entity. In some cases, it replaces the bank’s entire page with a fake replica designed to harvest the data Shifu’s operators are after,” Limor Kessem, cybersecurity evangelist at IBM, explained in a blog post. “In other cases, the Trojan displays social engineering content on the page using JavaScript injections to ask victims for additional authentication elements it will need for a subsequent fraudulent transaction, such as PII or one-time passwords.”

Another interesting feature found in Shifu is designed to keep other malware out. It prevents other threats from infecting the victim device by monitoring incoming files for ones that might carry malware, such as executables, unsigned files, and elements coming from HTTP connections.

The initial Shifu package implements the following features as explained by the experts at IBM:

• Anti-research, anti-VM and anti-sandbox tools;
• Browser hooking and webinject parser;
• Keylogger;
• Screenshot grabber;
• Certificate grabber;
• Endpoint classification, monitoring applications of interest;
• Remote-access tool (RAT) and bot-control modules.

According to IBM, there is another feature that makes the Shifu banking trojan very attractive for the criminal ecosystem, a RAM-scraping plugin used by the malware to scrape the RAM of point-of-sale (PoS) systems.

Despite it is very difficult to attribute the malware to a specific criminal crew, evidence collected by the experts at IBM analyzing the source code suggests that the authors of the Shifu banking trojan are Russian speakers.

IBM Security X-Force will release a detailed report on Shifu in the coming week.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Shifu, Japan)

[adrotate banner=”5″]

[adrotate banner=”13″]