IBM warns of 'masterful' new Shifu banking Trojan

IBM researchers have found the 'Shifu' Trojan attacking Japanese banks, as well as new information-stealing malware called CoreBot - both with Russian origins.

IBM links Russians to newly discovered malware
IBM links Russians to newly discovered malware

IBM has discovered a new banking Trojan attacking 14 Japanese banks and potentially targeting select electronic banking platforms used across Europe. IBM has named the malware ‘Shifu', after the Japanese word for thief, and says it is “a highly sophisticated banking Trojan” which has borrowed a number of features and modules from other banking Trojans' leaked source codes – including Shiz, Gozi, Zeus and Dridex.

IBM has also spotted a second Trojan with Russian origins, an information-stealing package named CoreBot whose bolt-on design means it can easily add extra data theft and endpoint control features. IBM has found CoreBot targeting enterprise endpoints and calls it “one malware piece to watch out for”.

The twin threats have been highlighted by Limor Kessem, one of IBM Trusteer's top cyber intelligence experts, in blogs co-written with other IBM malware hunters.

She said Shifu has been active since at least April 2015, and it appears its “internal makeup was composed by savvy developers with select features from the more nefarious other banking malware”.

Shifu uses the Shiz Trojan's domain generation algorithm (DGA), while one of its principal mechanisms is the theft of passwords, authentication token files, user certificate keys and sensitive data from Java banking applets – as with Corcow's and Shiz's codes.

Kessem explained: “Both these Trojans used these mechanisms to target the banking applications of Russia and Ukraine-based banks. Shifu, too, targets Russian banks as part of its target list, in addition to Japanese banks.”

Kessem said Shifu's string obfuscation and anti-research techniques are taken from Zeus VM (in its Chtonik/Maple variation), and it communicates via secure connection using a self-signed certificate, like the Dyre Trojan.

Shifu comes with anti-research, anti-VM and anti-sandbox tools; a browser hooking and webinject parser; keylogger; screenshot grabber; certificate grabber; endpoint classification, monitoring applications of interest; and remote-access tool (RAT) and bot-control modules.

Kessem also said: “Beyond their interest in defrauding bank accounts, Shifu's operators target payment card data. Shifu deploys a RAM-scraping plugin to collect payment card data. Shifu also looks for digital signature credentials issued by certification authorities to business banking users, particularly in Italy.”

Kessem also highlighted the fact that “Shifu's operators appear to have no intention of sharing the spoils with anyone outside their gang”.

She explained: “Once Shifu has landed on a newly infected machine, it activates an antivirus-type feature designed to keep all other malware out of the game by stopping the installation of suspicious files. This is the first time we are seeing malware build ‘rules' for suspicious files to make sure that the endpoint it's on remains in its exclusive control from the moment of infection.”

Page 1 of 2