IBM warns of 'masterful' new Shifu banking Trojan

News by Tim Ring

IBM researchers have found the 'Shifu' Trojan attacking Japanese banks, as well as new information-stealing malware called CoreBot - both with Russian origins.

IBM has discovered a new banking Trojan attacking 14 Japanese banks and potentially targeting select electronic banking platforms used across Europe. IBM has named the malware ‘Shifu', after the Japanese word for thief, and says it is “a highly sophisticated banking Trojan” which has borrowed a number of features and modules from other banking Trojans' leaked source codes – including Shiz, Gozi, Zeus and Dridex.

IBM has also spotted a second Trojan with Russian origins, an information-stealing package named CoreBot whose bolt-on design means it can easily add extra data theft and endpoint control features. IBM has found CoreBot targeting enterprise endpoints and calls it “one malware piece to watch out for”.

The twin threats have been highlighted by Limor Kessem, one of IBM Trusteer's top cyber intelligence experts, in blogs co-written with other IBM malware hunters.

She said Shifu has been active since at least April 2015, and it appears its “internal makeup was composed by savvy developers with select features from the more nefarious other banking malware”.

Shifu uses the Shiz Trojan's domain generation algorithm (DGA), while one of its principal mechanisms is the theft of passwords, authentication token files, user certificate keys and sensitive data from Java banking applets – as with Corcow's and Shiz's codes.

Kessem explained: “Both these Trojans used these mechanisms to target the banking applications of Russia and Ukraine-based banks. Shifu, too, targets Russian banks as part of its target list, in addition to Japanese banks.”

Kessem said Shifu's string obfuscation and anti-research techniques are taken from Zeus VM (in its Chtonik/Maple variation), and it communicates via secure connection using a self-signed certificate, like the Dyre Trojan.

Shifu comes with anti-research, anti-VM and anti-sandbox tools; a browser hooking and webinject parser; keylogger; screenshot grabber; certificate grabber; endpoint classification, monitoring applications of interest; and remote-access tool (RAT) and bot-control modules.

Kessem also said: “Beyond their interest in defrauding bank accounts, Shifu's operators target payment card data. Shifu deploys a RAM-scraping plugin to collect payment card data. Shifu also looks for digital signature credentials issued by certification authorities to business banking users, particularly in Italy.”

Kessem also highlighted the fact that “Shifu's operators appear to have no intention of sharing the spoils with anyone outside their gang”.

She explained: “Once Shifu has landed on a newly infected machine, it activates an antivirus-type feature designed to keep all other malware out of the game by stopping the installation of suspicious files. This is the first time we are seeing malware build ‘rules' for suspicious files to make sure that the endpoint it's on remains in its exclusive control from the moment of infection.”

IBM says Shifu shows some Russian origins, including comments written in Russian and specific strings that are not written in Cyrillic letters, but have meanings in Russian.

Kessem commented: “Shifu's developers could be either Russian speakers or native to countries in the former Soviet Union. It is also possible that the actual authors are obfuscating their true origin, throwing researchers off by implicating an allegedly common source of cyber-crime.”

She warned: “At this time, the malware is actively attacking banks in Japan, but it has the potential – and a target list in place – to spread.”


Meanwhile, IBM has uncovered the CoreBot Trojan, whose communications domains are registered to a Russian-based individual.

CoreBot uses a ‘Stealer' plugin to seize personal credentials such as passwords and private certificates stored in all major browsers, as well as a range of FTP and mail clients, webmail accounts, crypto-currency wallets, private certificates and desktop applications.

Kessem told that the malware is currently being spammed indiscriminately across Europe.

In a blog on the Trojan, co-authored by IBM threat engineer Martin Korman, Kessem said it cannot yet intercept data in real time, but points out its “most interesting facility is its plugin system, enabling it to be modular and easily supplemented with new theft capabilities”.

CoreBot can use Windows PowerShell, Microsoft's task automation and configuration management framework, to fetch other malware from the internet, download and execute it on the infected PC, she said.

Kessem adds: “Unlike most information stealers, CoreBot has a DGA in place, although it is not presently activated. In CoreBot's case, the DGA parameters appear to generate different domains for geographical zones of the botnet and for groups of bots defined by the botmaster – a rather interesting concept for malware that is merely a generic stealer.”

Asked about the malware's Russian connections, Kessem told SC  via email: “Our researchers have looked into the domains' registrant details and found they were registered by someone identifying themselves by a Russian name. Attribution is often tricky and even the breadcrumbs left behind by cyber-criminals can be designed for misdirection.”

Analysing the risk posed by CoreBot, UK cyber-security expert Sarb Sembhi, director of consultancy services at STORM Guidance, echoed IBM's warning.

He told SC via email: “This malware is probably a prototype with several modules that will get updated, and when that happens it will most likely have the capacity to become very sophisticated.

“The ‘holy grail' for most malware writers is to be able to create something that will not be detected, and to that end they are using several different approaches. This does indicate that when CoreBot develops and starts to use this functionality further, it will be able to work undetected on most networks where the detection tools being used are purely signature-based.”

Sembhi, a leading member of the ISACA International security professionals organisation, added: “This type of malware shows a lot of ingenuity and illustrates the level of competition between malware writers to create products that can evade detection, to sell more of their products than the competitors at the higher end of the market.”

* IBM says it will issue a complete report on Shifu in the coming week.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews