"Why are you writing about Shifu among many other new threats (even more discussed) out there ? "
Well... Shifu is a new banking trojan which actually attacks Japanese banks mostly, it's actually well geo-localized and probably it will end up on a specific amount of organizations, but what fascinates me is the way it implements many features by copying what have done so far some of the "best in class" known Malware. Shifu implements the following features:
- Domain Generation Algorithm (DGA): Shifu uses the Shiz Trojan’s DGA. The exposed algorithm itself is easy to find online, and the developers behind Shifu have elected to use it for the generation of random domain names for covert botnet communications.
- Theft From Bank Apps: Theft of passwords, authentication token files, user certificate keys and sensitive data from Java applets is one of Shifu’s principal mechanisms. This type of modus operandi is familiar from Corcow’s and Shiz’s codes. Both Trojans used these mechanisms to target the banking applications of Russia- and Ukraine-based banks. Shifu, too, targets Russian banks as part of its target list in addition to Japanese banks.
- Anti-Sec: Shifu’s string obfuscation and anti-research techniques were taken from Zeus VM (in its Chtonik/Maple variation), including anti-VM and the disabling of security tools and sandboxes.
- Stealth: Part of Shifu’s stealth techniques are unique to the Gozi/ISFB Trojan, and Shifu uses Gozi’s exact same command execution scheme to hide itself in the Windows file system.
- Config: The Shifu Trojan is operated with a configuration file written in XML format — not a common format for Trojans, and similar to the Dridex Trojan’s configuration (Dridex is a Bugat offspring).
- Wipe System Restore: Shifu wipes the local System Restore point on infected machines in a similar way to the Conficker worm, which was popular in 2009.
- Commuication protocol: Shifu implements an SSL communication layer based on a Self-signed certificate. The implemented module reminds analysts to the one used on Dyre Trojan campains in Late 2015.
Another interesting feature is about Point Of Sales. To make matters worse, Shifu searches for specific POS memory strings (and processes). If it finds a POS trace it starts a "stealing credit card numbers" procedure.
EmoticonEmoticon