// API callback
av({"version":"1.0","encoding":"UTF-8","entry":{"xmlns":"http://www.w3.org/2005/Atom","xmlns$blogger":"http://schemas.google.com/blogger/2008","xmlns$georss":"http://www.georss.org/georss","xmlns$gd":"http://schemas.google.com/g/2005","xmlns$thr":"http://purl.org/syndication/thread/1.0","id":{"$t":"tag:blogger.com,1999:blog-4562681011204589043.post-1588396767333426914"},"published":{"$t":"2015-12-23T02:58:00.000+07:00"},"updated":{"$t":"2016-01-16T18:47:59.590+07:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"vulnerabilities"}],"title":{"type":"text","$t":"new interesting Banking Trojan"},"content":{"type":"html","$t":"\u003Cdiv style=\"text-align: justify;\"\u003E\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"http:\/\/1.bp.blogspot.com\/-lqXdlsqtj0k\/VnmrRd_EHeI\/AAAAAAAAAgQ\/cLAgb3zdWng\/s1600\/Screen%2BShot%2B2015-09-02%2Bat%2B20.27.16.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" src=\"http:\/\/1.bp.blogspot.com\/-lqXdlsqtj0k\/VnmrRd_EHeI\/AAAAAAAAAgQ\/cLAgb3zdWng\/s1600\/Screen%2BShot%2B2015-09-02%2Bat%2B20.27.16.png\" \/\u003E\u003C\/a\u003E\u003C\/div\u003EHello everybody, today I'd like to share some infos on \"Shifu\" a new  incredibly interesting banking trojan. At this point you might think:\u003C\/div\u003E\u003Cdiv style=\"text-align: justify;\"\u003E\u003Cblockquote class=\"tr_bq\"\u003E\"Why are you writing about Shifu among many other new threats (even more discussed)\u0026nbsp; out there ? \"\u003C\/blockquote\u003E\u003C\/div\u003E\u003Cdiv style=\"text-align: justify;\"\u003EWell... Shifu is a new banking trojan which actually attacks Japanese banks mostly,\u0026nbsp; it's actually well geo-localized and \u003Cu\u003Eprobably\u003C\/u\u003E it will end up on a specific amount of organizations, but what  fascinates me is the way it implements many features by copying what  have done so far some of the \"best in class\" known Malware. Shifu  implements the following features:\u003C\/div\u003E\u003Cul style=\"text-align: justify;\"\u003E\u003Cli\u003E\u003Cb\u003EDomain Generation Algorithm (DGA)\u003C\/b\u003E: Shifu uses the Shiz  Trojan’s DGA. The exposed algorithm itself is easy to find online, and  the developers behind Shifu have elected to use it for the generation of  random domain names for covert botnet communications.\u0026nbsp;\u003C\/li\u003E\u003Cli\u003E\u003Cb\u003ETheft From Bank Apps\u003C\/b\u003E: Theft of passwords, authentication  token files, user certificate keys and sensitive data from Java applets  is one of Shifu’s principal mechanisms. This type of modus operandi is  familiar from Corcow’s and Shiz’s codes. Both Trojans used these  mechanisms to target the banking applications of Russia- and  Ukraine-based banks. Shifu, too, targets Russian banks as part of its  target list in addition to Japanese banks.\u003C\/li\u003E\u003Cli\u003E\u0026nbsp;\u003Cb\u003EAnti-Sec\u003C\/b\u003E: Shifu’s string obfuscation and anti-research  techniques were taken from Zeus VM (in its Chtonik\/Maple variation),  including anti-VM and the disabling of security tools and sandboxes.\u0026nbsp;\u003C\/li\u003E\u003Cli\u003E\u003Cb\u003EStealth\u003C\/b\u003E: Part of Shifu’s stealth techniques are unique to the  Gozi\/ISFB Trojan, and Shifu uses Gozi’s exact same command execution  scheme to hide itself in the Windows file system.\u003C\/li\u003E\u003Cli\u003E\u003Cb\u003EConfig\u003C\/b\u003E: The Shifu Trojan is operated with a configuration  file written in XML format — not a common format for Trojans, and  similar to the Dridex Trojan’s configuration (Dridex is a Bugat  offspring).\u0026nbsp;\u003C\/li\u003E\u003Cli\u003E\u003Cb\u003EWipe System Restore\u003C\/b\u003E: Shifu wipes the local System Restore  point on infected machines in a similar way to the Conficker worm, which  was popular in 2009.\u0026nbsp;\u003C\/li\u003E\u003Cli\u003E\u003Cb\u003ECommuication\u003C\/b\u003E \u003Cb\u003Eprotocol\u003C\/b\u003E: Shifu implements an SSL  communication layer based on a Self-signed certificate. The implemented  module reminds analysts to the one used on Dyre Trojan campains in Late  2015.\u003C\/li\u003E\u003C\/ul\u003E\u003Cdiv style=\"text-align: justify;\"\u003EAnother interesting feature is about \u003Cb\u003EPoint\u003C\/b\u003E \u003Cb\u003EOf\u003C\/b\u003E \u003Cb\u003ESales\u003C\/b\u003E.  To make matters worse, Shifu searches for specific POS memory strings  (and processes). If it finds a POS trace it starts a \"stealing credit  card numbers\" procedure.\u003C\/div\u003E\u003Cdiv style=\"text-align: justify;\"\u003E\u0026nbsp;\u003C\/div\u003E\u003Cdiv style=\"text-align: justify;\"\u003E\u003Ca href=\"http:\/\/marcoramilli.blogspot.in\/2015\/09\/shifu-new-interesting-banking-trojan.html\" target=\"_blank\"\u003EREADMOREE\u003C\/a\u003E \u003C\/div\u003E\u003Cdiv style=\"text-align: justify;\"\u003E\u0026nbsp;\u003C\/div\u003E\u003Cdiv style=\"text-align: justify;\"\u003E\u0026nbsp;\u003C\/div\u003E\u003Cdiv class=\"blogger-post-footer\"\u003Ehttp:\/\/feeds.feedburner.com\/co\/mFdp\u003C\/div\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/www.bungker.co.id\/feeds\/1588396767333426914\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.bungker.co.id\/2015\/12\/new-interesting-banking-trojan.html#comment-form","title":"0 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/4562681011204589043\/posts\/default\/1588396767333426914"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/4562681011204589043\/posts\/default\/1588396767333426914"},{"rel":"alternate","type":"text/html","href":"https:\/\/www.bungker.co.id\/2015\/12\/new-interesting-banking-trojan.html","title":"new interesting Banking Trojan"}],"author":[{"name":{"$t":"Bungker Corp"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/14576039512366647631"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"http:\/\/1.bp.blogspot.com\/-lqXdlsqtj0k\/VnmrRd_EHeI\/AAAAAAAAAgQ\/cLAgb3zdWng\/s72-c\/Screen%2BShot%2B2015-09-02%2Bat%2B20.27.16.png","height":"72","width":"72"},"thr$total":{"$t":"0"}}});