Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Shifu Trojan Hits 14 Banks in Japan in a Sophisticated Attack

Name Shifu
Type Banking Trojan
Short Description Shifu is a sophisticated Banking Trojan that combines the features of other Trojans.
Symptoms The system is compromised and its sensitive data is stolen.
Distribution Method Not clear yet.
Detection tool Download SpyHunter, to See If Your System Has Been Affected By Shifu

A Banker Trojan is one of the many types of Trojan Horses. In computer and network safety, a Banking Trojan is any malicious program deployed to obtain confidential information about a bank’s customers and online banking systems. We have observed numerous Banker Trojans affecting banking facilities all around the world. A new sophisticated threat of the kind has been registered with extreme activity in Japan. The Trojan is dubbed Shifu and combines the best features of previously active banking malware. According to IBM research, Shifu has attacked more than 14 banks in Japan and may be employed in other countries as well.p16_0000

Read More about Banking Trojans:

Dyre Trojan

Types of Trojan Attacks

Shifu’s Set of Malicious Features

According to researchers at SecurityIntelligence, Shifu arrives with several built-in capabilities, supplemented by additional modules once it contacts the command-and-control server:

  • Anti-research, anti-VM and anti-sandbox tools.
  • Browser hooking parser.
  • Keylogger.
  • Screenshot and certificate grabber.
  • Endpoint classification, monitoring applications of interest.
  • Remote-access tool (RAT) and bot control modules.

The Shifu Banker is capable of stealing multiple banking-related details such as:

  • Usernames and passwords connected to financial accounts.
  • Credentials keyed into HTTP forms.
  • Private certificates.
  • External authentication tokens.

Thanks to its sophisticated set of features, cyber criminals behind Shifu can take over bank accounts and make it look like a children’s game.

However, that’s far from everything this Banker Trojan can do. Shifu is also designed to steal data from smart cards. The latter can happen if a smart card reader attached to the affected endpoint is located. Once this is done, Shifu can ‘scan’ and empty cryptocurrency wallets on attacked systems. Furthermore, the Trojan can detect if a point-of-sale system (PoS) is present and can steal credit or debit card data.

If any of the malicious activities described above seem familiar to you, it’s probably because Shifu has ‘rented’ many features of other popular banking Trojans such as Shiz, Dridex, and Zeus. IBM researchers have discovered the Domain Generation Algorithm Shifu uses to generate random domain names for botnet communications – the very same one used by Shiz.Botnet-example

Other features are borrowed from the Zeus Banker such as the ability to disable anti-virus tool. Additionally, Shifu has taken the ability to conceal itself in the Windows file system from Gozi. A functionality typical for the Conficker worm is also included in the Trojan – the capacity to wipe the local System Restore point to cover its tracks.

Shifu has also borrowed means from the Corcow Banker that was viral in 2014 among Russian and Ukranian banks – the methods used to steal credentials, authentication tokens, and sensitive information.

Shifu Infection Methods

It’s not a surprise that malware researchers refer to the Trojan as Frankenstein and ‘uber patchwork’. It is clear that the creators of Shifu know their way around malware and can combine old with new techniques. One of its most curious features is how the Trojan attempts to avert other malicious pieces from attacking the systems it has already infected. Once the Trojan is inside the system, it will launch an antivirus-related component that will scan for other threats and prevent them from downloading onto the machine.

Files received from insecure HTTP connections will be blocked, as well as unsigned or executable files. Files labeled as malicious will be copied to the local disk and will be named ‘infected.exx’, then they will be uploaded to the command and control server. Shifu will then send an ‘out of memory’ message to the system in the attempt to launch the malicious file on the compromised computer.

Shifu is not the first Trojan that will try and stop other malware pieces already located on the system. What is new here is the Trojan’s ability to block actively new malware from being installed onto the infected system.

What Are the Chances of Infections in Other Locations?

Even though the threat was detected only Japan, the chances of it spreading to other countries are quite real. The list of targeted banks can be changed in just a few minutes. Since Shifu is an expert in combining old and new techniques, nobody knows what his creators will decide to do next.

Banking Trojans can affect both banking organizations and common users. JS/Banker.BA for instance is a JavaScript banking Trojan that seeks to obtain the user’s private credentials. It will try and intercept the connection between a computer and an online banking system. To make sure that your system is intact, you may want to scan it via anti-malware software. You can also have a look at the step-by-step Trojan removal guide below the article.

1. Start Your PC in Safe Mode to Remove Shifu.

For Windows XP, Vista, 7 systems:

1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu.
2. Select one of the two options provided below:

For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.

Capture

For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.

safe-mode-windows

3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.

4. Log on to your computer using your administrator account

windows-safe-mode-running

While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.

For Windows 8, 8.1 and 10 systems:
Step 1: Open the Start Menu
Windows-10-0 (1)
Step 2: Whilst holding down Shift button, click on Power and then click on Restart.
Step 3: After reboot, the aftermentioned menu will appear. From there you should choose Troubleshoot.
Windows-10-1-257x300
Step 4: You will see the Troubleshoot menu. From this menu you can choose Advanced Options.
Windows-10-2 (1)
Step 5: After the Advanced Options menu appears, click on Startup Settings.
Windows-10-3 (1)
Step 6: Click on Restart.
Windows-10-5 (1)
Step 7: A menu will appear upon reboot. You should choose Safe Mode by pressing its corresponding number and the machine will restart.

2. Remove Shifu automatically by downloading an advanced anti-malware program.

To clean your computer you must download an updated anti-malware program on a safe PC and then install it on the affected computer in offline mode. After that you should boot into safe mode and scan your computer to remove all Shifu associated objects.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.