An IBM research released recently states that a new sophisticated Trojan is attacking banks in Japan. This threat takes the best features of several previous banking malware hence making it a phenomenon threat.
This malicious malware is estimated to have affected at least 14 Japanese banks and it could very possibly spread to other regions and countries.
Based on its malicious capabilities, IBM security experts have tagged the threat as particularly sophisticated and complex. They named it Shifu.
Shifu Trojan was designed to capture banks’ customers banking details. Among the details captured include passwords, PINs, usernames and details keyed in the HTTP browser forms. Moreover, private certificates and external authentication certificates which are used by some banks were also compromised. According to the IBM research, the Shifu cybercriminals used the malware to literally take over customers’ accounts in the affected banks in Japan.
If the banking details stolen are applicable to an attached Smartcard, Shifu will easily steal and exploit the data contained therein. For those who have cryptocurrency wallets, Shifu won’t hesitate to steal from them. The malware is so sophisticated that it can easily tell if it has reached a point-of-sale in which case it will harvest the payment data.
The researchers were of the opinion that this malware is very similar to other banking Trojans such as Dridex, Zeus, Gozi and Shiz. They pointed out that the domain generation algorithm which it uses to produce domain names for its botnet communications is very similar to the one used in Shiz.
There is every indication that Shifu has borrowed its stupefying and evasive technique from Zeus banking malware. It has also borrowed its anti-virus disabling capability from the same malware. For its command execution tricks that Shifu employs to hide on Windows file system, it has borrowed heavily from the Gozi malware.
Shifu is very versatile and is capable of wiping clean the local system restore point in order to cover its tracks in the victim devices. This trend is very similar to what Conficker worm used to do in 2009. Moreover, Shifu’s capability to steal passwords, PINs and usernames and other sensitive data from its target is a replica of Corcow Trojan which compromised several banks in Ukraine and Russia in 2014.
Given its capabilities, Shifu easily takes the Frankenstein title as far as banking Trojans are concerned. It could also pass as the perfect Uber Patchwork. According to Limor Kessem, Senior IBM security expert, the person behind the development of Shifu harvested the best of previous dangerous banking Trojans. This criminal combined these features with modern technology to make an incredible Shifu malware.
An additional feature of this malware is that it prevents other malware from attacking its territory –system networks that it has already infected. Kessem adds that once Shifu gets installed in a machine, it automatically adopts an anti-virus behavior. It scans the machine and actively prevents other malware from infecting the machine.