In an effort to safeguard customers around the world, a group of security experts from IBM Security X-Force has recently uncovered what they call Shifu – the Japanese term for "thief" – a new banking virus targeting the clients of Japanese banks as well as platforms. The Shifu trojan boasts its own antivirus.
In a blog post shared by cybersecurity evangelist Limor Kessem, she noted that the malware – reportedly active since April 2015 – is attacking 14 Japanese banking institutions and a few electronic banking platforms utilized in Europe. At the moment, though, only Japan is experiencing the attacks.
What is distinctive about this type of trojan is that it features an anti-malware system.
Once the malware has infected the machine used by the victim, Kessem explained, it will install a special module. This way, Shifu keeps other banking malware at bay.
If the module detects suspicious malware-looking content from HTTP connections that are insecure, it tries to stop them. If it fails, these files are then renamed as "infected.exx." They will also be sent to its command and control server. Furthermore, the malware has the capacity to spoof an operating system "out of memory" notification if the file is designed to autorun.
Exactly where the Trojan came from is still unknown.
"So who put the masterful Shifu together? Following analysis of Shifu's scripts, our researchers found comments written in Russian," Kessem stated in the post. "Shifu's developers could be either Russian speakers or native to countries in the former Soviet Union. It is also possible that the actual authors are obfuscating their true origin, throwing researchers off by implicating an allegedly common source of cybercrime."
Kessem said Shifu copied features from already existing notorious banking trojans, which makes it highly sophisticated. It uses aspects of Corcow, Zeus, conficker, dyre and Shiz, as well as the Gozi / ISFB trojan.
A few of its capabilities, reports say, include communicating via a secure connection that uses a self-signed certificate; wiping the local System Restore point on infected machines; and anti-research techniques to hide itself from security analysis tools.
Moyan Brenn | Flickr