14 Japanese banks are under attack from a new breed of Trojan – named Shifu – the Japanese word for thief.
What makes this Trojan special is that it’s made from a mix of previously discovered malware, according to IBM Security X-Force staff. Austrian, Germany and other EU countries as well as Japan have been host to the attack.
Not your classical banking Trojan, Shifu comes with an ability to choose multiple targets and is very hard to detect due to the clever way it’s made. Using aspects of Shiz, Corcow, Zeus, dridex, conficker, dyre and the Gozi/ISFB trojan, Shifu is highly sophisticated. Additionally, Shifu has a modular architectire that communicates with a command and control server which gives it real-time instructions and load modules based on the infected target’s features.
Shifu resultantly has the ability to steal credentials from HTTP form data, scrape authentication tokens from banking apps, find and steal private certificates and even detect smartcard readers attached to PCs. It can actually exfiltrate the data from these readers.
As if it wasn’t bad enough for security teams, Shifu has in-built antivirus. This keeps other banking Trojans at bay. This effectively keeps the victim solely in the hands of Shifu’s distributors, who are protecting their quarry from other criminals.
It is currently unclear where the Trojan has come from, with some saying Russia and others saying the app is masquerading as originating in Russia to throw off security teams, since Russia is a common point of origin for cyber-crime.