IBM has issued a warning over a new banking Trojan that, so far, has affected 14 Japanese banks. Named “Shifu” by IBM Security X-Force – after the Japanese word for thief – the malware has been around since April 2015, but only unearthed now by IBM security researchers.
Although it has so far only been observed attacking banks in Japan, it can also be used to target electronic banking platforms in Europe. “At this time, only Japan is seeing active attacks,” says IBM cyber security evangelist Limor Kessem.
Kessem describes Shifu as a “highly sophisticated banking Trojan”. IBM’s analysis, she adds, indicates that it has borrowed a number of features and modules from other widely banking Trojans, including the well-known Zeus and Dridex, as well as Shiz and Gozi.
“The Shifu Trojan may be a new beast, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true Trojan mechanisms from other infamous crimeware codes. It appears that Shifu’s internal make-up was composed by savvy developers who are quite familiar with other banking malware, dressing Shifu with select features from the more nefarious of the bunch,” says Kessem.
These similarities include, she adds:
Domain generation algorithm: Shifu uses the Shiz Trojan’s domain generation algorithm, which is easy to find online. The developers behind Shifu use it to generate random domain names for covert botnet communications;
Theft from banking apps: Theft of passwords, authentication token files, user certificate keys and sensitive data from Java applets, a technique borrowed from banking Trojans Corcow and Shiz. Both Trojans used these mechanisms to target banking applications in Russia and Ukraine. Shifu also targets Russian banks as part of its target list, in addition to Japanese banks;
Anti-security: Shifu’s string obfuscation and “anti-research techniques” were taken from Zeus and include the disabling of security tools and sandboxes;
Stealth: Part of Shifu’s stealth techniques were unique to the Gozi/ISFB Trojan. Shifu uses the same command execution scheme as Gozi to hide itself in the Windows file system;
Configuration: The Shifu Trojan is operated with a configuration file written in XML, which is not a common format for Trojans – but similar to the Dridex Trojan’s configuration;
Wipe system restore: Shifu wipes the local System Restore point on infected machines in a similar way to the Conficker worm, which was propagated in 2009.
“On the less technical side, Shifu communicates via secure connection that uses a self-signed certificate, just like the one used by the Dyre Trojan,” adds Kessem.
She continued: “This Trojan steals a large variety of information that victims use for authentication purposes, covering different sorts of authentication. For example, it keylogs passwords, grabs credentials that users key into HTTP form data, steals private certificates and scrapes external authentication tokens used by some banking applications. These elements enable Shifu’s operators to use confidential user credentials and take over bank accounts held with a large variety of financial service providers.
“Shifu scans, parses and exfiltrates data from smartcards if they are attached to a smartcard reader on the endpoint, and searches crypto-currency wallets to steal from the infected victim.”
However, one intriguing twist that IBM has found with Shifu are attributes that indicate that its operators also intend to target point-of-sale systems. According to Kessem, Shifu has a RAM-scraping plug-in – typically be used to exploit a glaring security hole in the PCI-DSS security standards, which do not require point-of-sale data to be encrypted as when it is being processed at the till system.
“RAM scraping is the top method for siphoning credit and debit cards’ track 1 and track 2 data, used in major breaches like the Target breach,” says Kessem.