Customers of Japanese banks are on the front line of attacks based on a new and sophisticated banking trojan, mashed together from leaked bits of malware code.
Shifu (named after the Japanese word for thief) is targeting 14 Japanese banks as well as electronic banking platforms used across Europe, according to security researchers from IBM Trusteer.
Taking ideas from the creation of Frankenstein’s monster, Shifu is made up of powerful pieces of code from leaked (discarded and arguably dead) malware variants.
Some of Shifu’s features and modules were borrowed from other banking Trojans’ leaked source codes, including Shiz, Gozi, Zeus and Dridex.
Shifu’s string obfuscation and anti-research techniques were taken from the infamous ZeuS banking trojan. It features stealth technique lifted from Gozi.
Etay Maor, senior cybersecurity strategist at IBM X-Force, which conducts security research for business and IT leaders, commented: "The X-Force research team is still investigating the different infection patterns of the malware; it is most likely spread via spamming campaigns which lead to infection points (as this is the MO for most malware), however the issue is still under investigation."
And Shifu wipes the local System Restore point on infected machines in a similar way to the Conficker worm, a major internet menace back in 2009. Shifu communicates via secure connection that uses a self-signed certificate, just like the Dyre Trojan.
“Shifu’s internal makeup was composed by savvy developers who are quite familiar with other banking malware, dressing Shifu with select features from the more nefarious of the bunch,” IBM’s researchers note.
Once installed, Shifu keylogs passwords, grabs credentials that users key into HTTP form data, steals private certificates and scrapes external authentication tokens used by some banking applications.
It uses webinjections to fool users of infected machines. Shifu scans, parses and exfiltrates data from smartcards once a reader is connected to on an infected endpoint. The trojan also lifts any cryptocurrency wallets found on infected devices.
This six-pack of banking trojan functionality is supplemented by RAM scrapper malware, a type of threat that played an integral part in turning over US retailer Target and others.
Shifu comes pre-configured to lift payment card data from compromised retail networks. The malware scans infected endpoints for strings that may indicate it has landed on a point of sale (POS) terminal. Once planted on a cash machine, Shifu deploys a RAM scraping plugin to collect payment card data.
In addition, Shifu comes with security tools designed to prevent other malware from installing on a newly infected machine. The malware wants exclusive control of compromised systems.
Analysis of Shifu’s scripts uncovered comments written in Russian, circumstantial evidence that Shifu was put together by someone or a team from the Russian-speaking world.
A write-up of the threat can be found in a blog post on IBM’s Security Intelligence blog here. ®