Powerful New Banking Trojan Attacks Japan, Other Countries at Risk

An extremely dangerous and highly sophisticated new banking Trojan was recently spotted in the wild by researchers from IBM’s Security X-Force. Named Shifu, which means thief in Japanese, this banking Trojan appears to have been active since April of this year despite only being discovered in recent weeks by IBM staff members leveraging antifraud platforms that continuously monitor customer endpoints around the world. Shifu is currently targeting 14 Japanese banks as well as electronic banking platforms throughout Europe although at this time only Japan is experiencing active attacks from this Trojan. Shifu contains a variety of advanced features, many of which appear to be borrowed from the leaked source code of other notorious banking Trojans including Zeus, Dridex, Shiz, and Gozi.

The use of features from these malware variants makes Shifu a patchwork representing the most dangerous of all banking Trojans discovered in the last few years that could be used to launch a global attack potentially worth hundreds of millions of dollars in stolen funds if not stopped before reaching targets in the U.S. and Europe at large. Although a malware variant as advanced as Shifu hasn’t surfaced in some time, the inner workings of the Trojan aren’t necessarily unfamiliar to security researchers once broken down into its core components. Whoever is behind Shifu is obviously very familiar with other banking Trojans because many of the malware’s features bare striking similarities to some of the more nefarious tactics used by the aforementioned banking Trojans upon which Shifu is based including:

Domain Generation Algorithm - Similar to the Shiz Trojan, Shifu uses DGA to generate random domain names for communication between botnet nodes and the C&C servers behind the malware campaign. Targeting of Banking Apps - Shifu leverages password, authentication token, and user certificate key theft tactics via vulnerabilities in Java similar to the tactics used in both Corcow and Shiz. Both of these Trojans targeted banking applications for Russian-based targets and while Shifu also targets Russian banks, the developers of this malware have also decided to target Japanese banking customers. Anti-Security Tools - Shifu uses both string obfuscation and anti-research techniques that are clearly borrowed from Zeus. The addition of this feature allows Shifu to disable active security tools and detect sandbox installations to make detection and removal of Shifu extremely difficult. Stealth - Like Gozi, Shifu uses a unique series of stealth techniques to hide within the Windows file system without detection. XML Configuration File - The configuration file used by Shifu once installed on a targeted machine is written in XML. This is not a common format for Trojans but it was used very successfully in the Dridex Trojan campaign so the developers of Shifu decided it would work for their campaign too. Deleting System Restore Points - Once installed on a machine Shifu wipes all local System Restore points to make removal of the malware more difficult. A similar technique was used by the Conficker worm, a malware strain that created havoc for Windows machines in 2009. Secure Communications - Shifu borrows the idea of a self-signed certificate for secure communication between the botnet and C&C servers just like the Dyre Trojan. This makes it difficult for security researchers to detect the communications between the infected machine and the rest of the botnet.

shifu trojan

The basic Shifu package that is installed on a targeted PC doesn’t contain too much in the way of dangerous capabilities but the malware can be upgraded at any time once it established contact with its C&C server. Basic functionality that installs with the initial infection package includes: Browser hooking and Web injection parser, Anti-sandbox, anti-virtual machine, and anti-research tools, Keylogger, Certificate grabber, Screenshot grabber, Ability to monitor applications of interest, Remote access tools (RAT) and modules for bot-control. Although these tools may seem dangerous enough, this represents only the tip of the proverbial iceberg as the hackers behind Shifu can add new modules at any time once an infection as been successfully implemented on a PC of interest. What makes Shifu extremely dangerous is the fact that the malware is capable of stealing a large and varied assortment of information that can be used for authentication purposes.

For example, Shifu is capable of keylogging passwords, grabbing credentials used for HTTP form data, stealing private certificates, and scraping external authentication tokens used by many banking applications.

This information allows the cybercriminals behind the Shifu campaign to use sensitive user credentials to hijack bank accounts from a significant number of financial institutions. Shifu can even scan, parse, and exfiltrate data from smartcards if attached to the infected endpoint device as well as sniff out cryptocurrency wallets stored on the PC to steal these funds from the victim. The versatility of this malware variant doesn’t end there. In addition to stealing banking credentials from users, Shifu can also target payment card data from POS systems. If a POS system is detected by Shifu, a RAM-scraping plugin is deployed that collects payment data similar to the POS malware campaigns that have been plaguing major retailers around the world for the last few years including Target and Neiman Marcus. Finally, Shifu doesn’t like to play with other malware. Once a PC has been infected with the banking Trojan, the malware monitors the processes on the PC as it looks for any application that communicate with the Internet on a regular basis. Specifically, the Trojan hooks the URLDownloadtoFile function in search of any files that could be other forms of malware. These files are sent to the C&C server and the victim OS is supplied with a spoofed “Out of Memory” message to prevent other malware from sharing the spoils of the infected PC. This feature ensures that Shifu is the only malware installed on the PC and it serves as a way for the hackers behind this campaign to monitor the “competition” as it relates to malware infections.

It’s worth noting that although Shifu is currently only attacking banks in Japan and Russia, the malware platform has the potential to attack targets anywhere in the world and because Shifu was written using code from malware variants that have been largely successful in the United States, the hackers behind Shifu can easily modify the configuration file of the Trojan to target banks in the U.S. in the near future.

As of this writing, Shifu is only detected by approximately 34% of antivirus software making it a serious threat for PC users around the world. Since Shifu relies on Java vulnerabilities to steal information, the best protection from this malware is to ensure that Java is updated with the latest versions. Make sure that automatic updating is enabled to receive the latest security patches from Oracle as they are released. Also, monitor online banking activity regularly and immediately report any suspicious activity to your financial institution to prevent fraudulent attempts to steal your funds. As always, also make sure to keep Windows updated as well as any third-party applications to limit the vulnerabilities used by Shifu and other banking Trojans. Although Shifu isn’t targeting US-based PCs at this time, the hackers behind this campaign could change the configuration file at any time so the best bet for PC users around the world is to remain vigilant until this threat is mitigated by antivirus solutions.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal