Banking Trojan Shifu Turns Up in UK

Written by

UK banking customers have been warned that advanced trojan malware Shifu has migrated from Japan to covertly target and take over their accounts.

IBM Security X-Force cybersecurity evangelist, Limor Kessem, explained in a blog post that the banking trojan – discovered less than a month ago – now has 18 UK targets and has ramped up activity to infect hundreds of endpoints per day.

Online banking and wealth management customers are first led via email spam to websites infected with the Angler Exploit Kit.

Kessem continued:

“Although Angler is used by many cybercriminals, they all rely on its ability to evade security mechanisms and its multistep attack technique. To keep automated security off its tracks, Angler attacks are based on a redirection scheme that begins with a clean page or advertising banner and eventually lands on an Angler-poisoned page. The victim’s endpoint is then scanned for the corresponding vulnerabilities, followed by exploitation and the eventual payload drop.”

Shifu first came to light at the beginning of September. It includes a variety of features copied from existing banking trojans, including the domain generation algorithm from Shiz and obfuscation and sandbox disabling from Zeus, IBM said at the time.

Also featured were stealth techniques copied from Gozi/ISFB, and theft of passwords, authentication token files, user certificate keys and sensitive data from Java applets as per Shiz and Corcow.

The bad news is that the malware authors – believed to be Russian-speaking – are “already working on internal changes to Shifu” designed to ensure it continues to evade security filters.

“For example, in its new, UK-dedicated samples, Shifu no longer injects into the explorer.exe process,” Kessem explained. “Rather, it has modified its action path to launch a new svchost instance and performs all actions from that process instead.”

IBM also warned that the trojan is likely to seek out fresh victims in Europe and the US in future.

Shifu was so-named after the Japanese word for ‘thief.’

What’s hot on Infosecurity Magazine?