Shifu Trojan Features ‘Power Patchwork’ of Banking Malware

Security researchers have unearthed a new banking trojan which uses various tried and tested features from existing malware families to target the customers of mainly Japanese financial institutions and platforms.

IBM’s X-Force team named the ‘Shifu’ trojan after the Japanese word for ‘thief’, Big Blue cybersecurity evangelist Limor Kessem revealed in a blog post.

It features a variety of real-time threat mechanisms and methods to control infected endpoints, she claimed, adding:

“This Trojan steals a large variety of information that victims use for authentication purposes, covering different sorts of authentication. For example, it keylogs passwords, grabs credentials that users key into HTTP form data, steals private certificates and scrapes external authentication tokens used by some banking applications. These elements enable Shifu’s operators to use confidential user credentials and take over bank accounts held with a large variety of financial service providers.

Shifu scans, parses and exfiltrates data from smartcards if they are attached to a smartcard reader on the endpoint, and searches cryptocurrency wallets to steal from the infected victim.”

As if this weren’t enough, the trojan is also equipped with a RAM-scraping plug-in designed to collect payment data if it finds itself on a point-of-sale (POS) endpoint.

The malware activates an “anti-virus type feature” once installed on a victim’s machine in order to keep any other malicious code away.

The trojan itself is a hotchpotch of features copied from existing notorious banking trojans.

These include the domain generation algorithm used by the Shiz trojan; obfuscation and sandbox disabling from Zeus; stealth techniques copied from the Gozi/ISFB trojan; and the theft of passwords, authentication token files, user certificate keys and sensitive data from Java applets in a way similar to Shiz and Corcow.

IBM reckons the new trojan – which has only been spotted firing active attacks thus far in Japan – was developed by natives of former Soviet Union countries, given that some comments on the code were written in Russian.

The firm is warning that it may well spread to other regions in the future.

What’s Hot on Infosecurity Magazine?