Shifu banking Trojan spreads to the UK

IBM security researchers have identified a malicious banking Trojan “in the wild” in the UK.

The so-called “Shifu” malware strain had previously only been witnessed in the Japanese financial sector, but appears to now have international targets in its sights.

Read more: You might have downloaded a Trojan with Candy Crush

IBM Trusteer Limor Kessem explained that although the Shifu Trojan is a new form of crimeware, it uses the same tried and trusted methods that have previously been used in other forms of banking malware.

"Beyond dressing Shifu with select features from the more nefarious codes known to information security professionals, these developers are already working on internal changes to Shifu. These are designed to ensure the Trojan's security evasion mechanisms continue to perform,” she explained.

New versions of Shifu designed to target 18 UK-based financial institutions, for example, come with a modified injection process to avoid detection. The malware was first spotted in the UK on 22 September and attackers are expected to begin targeting the rest of Europe and the US imminently.

Explaining how the Shifu Trojan attacked its victims, Kessem added that individuals are led to infected websites containing the Angler exploit kit, often via spam email links. The Angler kit is popular amongst cyberattackers because of the variety of code vulnerabilities that it is able to exploit, including HTML, Java, Silverlight and more.

Read more: Japanese banks hit by new Trojan ‘Shifu’

"Although Angler is used by many cybercriminals, they all rely on its ability to evade security mechanisms and its multistep attack technique,” Kessem explained. “To keep automated security off its tracks, Angler attacks are based on a redirection scheme that begins with a clean page or advertising banner and eventually lands on an Angler-poisoned page. The victim's endpoint is then scanned for the corresponding vulnerabilities, followed by exploitation and the eventual payload drop."