Shifu Trojan Hits 14 Banks in Japan in a Sophisticated Attack

Shifu Trojan Hits 14 Banks in Japan in a Sophisticated Attack

A Banking Trojan is one of the many types of Trojan Horses. In computer and network safety, a Banking Trojan is any malicious program deployed to obtain confidential information about a bank’s customers and online banking systems.

We have observed numerous Banking Trojans affecting banking facilities all around the world. A new sophisticated threat of the kind has been registered with extreme activity in Japan. The Trojan is dubbed Shifu and combines the best features of previously active banking malware. According to IBM research, Shifu has attacked more than 14 banks in Japan and may be employed in other countries as well.

Shifu’s Set of Malicious Features

According to researchers at SecurityIntelligence, Shifu arrives with several built-in capabilities, supplemented by additional modules once it contacts the command-and-control server:

  • Anti-research, anti-VM and anti-sandbox tools.
  • Browser hooking parser.
  • Keylogger.
  • Screenshot and certificate grabber.
  • Endpoint classification, monitoring applications of interest.
  • Remote-access tool (RAT) and bot control modules.

The Shifu Banker is capable of stealing multiple banking-related details such as:

  • Usernames and passwords connected to financial accounts.
  • Credentials keyed into HTTP forms.
  • Private certificates.
  • External authentication tokens.

Thanks to its sophisticated set of features, cyber criminals behind Shifu can take over bank accounts and make it look like a children’s game.

However, that’s far from everything this Banker Trojan can do. Shifu is also designed to steal data from smart cards. The latter can happen if a smart card reader attached to the affected endpoint is located. Once this is done, Shifu can ‘scan’ and empty cryptocurrency wallets on attacked systems. Furthermore, the Trojan can detect if a point-of-sale system (PoS) is present and can steal credit or debit card data.

If any of the malicious activities described above seem familiar to you, it’s probably because Shifu has ‘rented’ many features of other popular banking Trojans such as Shiz, Dridex, and Zeus. IBM researchers have discovered the Domain Generation Algorithm Shifu uses to generate random domain names for botnet communications – the very same one used by Shiz.Botnet-example

Other features are borrowed from the Zeus Banker such as the ability to disable anti-virus tool. Additionally, Shifu has taken the ability to conceal itself in the Windows file system from Gozi. A functionality typical for the Conficker worm is also included in the Trojan – the capacity to wipe the local System Restore point to cover its tracks.

Shifu has also borrowed means from the Corcow Banker that was viral in 2014 among Russian and Ukranian banks – the methods used to steal credentials, authentication tokens, and sensitive information.

Shifu Infection Methods

It’s not a surprise that malware researchers refer to the Trojan as Frankenstein and ‘uber patchwork’. It is clear that the creators of Shifu know their way around malware and can combine old with new techniques. One of its most curious features is how the Trojan attempts to avert other malicious pieces from attacking the systems it has already infected. Once the Trojan is inside the system, it will launch an antivirus-related component that will scan for other threats and prevent them from downloading onto the machine.

Files received from insecure HTTP connections will be blocked, as well as unsigned or executable files. Files labeled as malicious will be copied to the local disk and will be named ‘infected.exx’, then they will be uploaded to the command and control server. Shifu will then send an ‘out of memory’ message to the system in the attempt to launch the malicious file on the compromised computer.

Shifu is not the first Trojan that will try and stop other malware pieces already located on the system. What is new here is the Trojan’s ability to block actively new malware from being installed onto the infected system.

What Are the Chances of Infections in Other Locations?

Even though the threat was detected only Japan, the chances of it spreading to other countries are quite real. The list of targeted banks can be changed in just a few minutes. Since Shifu is an expert in combining old and new techniques, nobody knows what his creators will decide to do next.

Banking Trojans can affect both banking organizations and common users. JS/Banker.BA for instance is a JavaScript banking Trojan that seeks to obtain the user’s private credentials. It will try and intercept the connection between a computer and an online banking system. To make sure that your system is intact, you may want to scan it via anti-malware software. You can also have a look at the step-by-step Trojan removal guide below the article.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share