430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Shifu, a dangerous Banking Trojan is Attacking Japanese Banks

The Shifu Banking Trojan is a new sophisticated malware that has been used to target the customers of more than a dozen Japanese banks. Shifu is the name of a new banking trojan that has been around since at least April targeting Japanese banks and a number of European e-banking platforms. “Shifu currently targets 14 […]

Muji

The Shifu Banking Trojan is a new sophisticated malware that has been used to target the customers of more than a dozen Japanese banks.

Shifu is the name of a new banking trojan that has been around since at least April targeting Japanese banks and a number of European e-banking platforms.

“Shifu currently targets 14 Japanese banks and select electronic banking platforms used across Europe; however, at this time, only Japan is seeing active attacks.” states a blog post published by IBM.

The Shifu banking trojan was designed to circumvent e-banking users by stealing their credentials and digital certificates, it is also able to scrape banking app authentication tokens, and exfiltrate data from smart cards connected to the infected machine.

The Shifu banking Trojan also targets digital signature credentials issued to business users by certification authorities, the malware authors harvest them to impersonate victims and sign documents and sign documents for them. The digital signature is very popular in Italy, where IBM observed a significant activity of the malware.

Shifu is a sophisticated malware that was already used to target customers of 14 Japanese financial organizations. It borrows features from several well-known banking trojan including the popular Zeus VM and Dridex

Shifu infections

Shifu uses a domain generation algorithm for its control infrastructure, the DGA it implements is quite similar the one used by the Shiz Trojan, meanwhile it implements evasion techniques borrowed from ZeusGozi and Dridex. Another similarity with other malware is the Shifu’s ability to Wipe System Restore point on the infected machines like the Conficker worm (2009).

Shifu uses self-signed certificates to protect traffic to/from C&C servers from which retrieve configuration files.

The Shifu banking Trojan also implements other interesting features, it sets up a local Apache server that is later used to decipher obfuscated requests sent when fetching web injects from the remote server and it prevents other malware from infecting the victim machine by monitoring incoming traffic and files.

“Shifu’s injections are selective and change according to the targeted entity. In some cases, it replaces the bank’s entire page with a fake replica designed to harvest the data Shifu’s operators are after,” Limor Kessem, cybersecurity evangelist at IBM, explained in a blog post. “In other cases, the Trojan displays social engineering content on the page using JavaScript injections to ask victims for additional authentication elements it will need for a subsequent fraudulent transaction, such as PII or one-time passwords.”

Another interesting feature found in Shifu is designed to keep other malware out. It prevents other threats from infecting the victim device by monitoring incoming files for ones that might carry malware, such as executables, unsigned files, and elements coming from HTTP connections.

The initial Shifu package implements the following features as explained by the experts at IBM:

  • Anti-research, anti-VM and anti-sandbox tools;
  • Browser hooking and webinject parser;
  • Keylogger;
  • Screenshot grabber;
  • Certificate grabber;
  • Endpoint classification, monitoring applications of interest;
  • Remote-access tool (RAT) and bot-control modules.

According to IBM, there is another feature that makes the Shifu banking trojan very attractive for the criminal ecosystem, a RAM-scraping plugin used by the malware to scrape the RAM of point-of-sale (PoS) systems.

Despite it is very difficult to attribute the malware to a specific criminal crew, evidence collected by the experts at IBM analyzing the source code suggests that the authors of the Shifu banking trojan are Russian speakers.

IBM Security X-Force will release a detailed report on Shifu in the coming week.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Shifu, Japan)

[adrotate banner=”5″]

[adrotate banner=”13″]