A new banking Trojan has been used to target the customers of more than a dozen Japanese banks, IBM reported on Monday.
Dubbed “Shifu,” the Japanese word for thief, the banking Trojan has been around since at least April, and it’s designed to target Japanese banks and select e-banking platforms used in Europe.
Currently, the malware is mainly active in Japan, where it has been used to target the customers of 14 financial organizations.
Researchers say Shifu is a sophisticated Trojan that appears to borrow features from several well-known pieces of malware. The threat uses a domain generation algorithm (DGA) similar to the one of the Shiz Trojan, anti-security and anti-research techniques taken from Zeus VM, a configuration file similar to the one used by Dridex, and stealth techniques from Gozi. The threat also wipes the local system restore point on infected computers just like the Conficker worm did several years ago.
The basic Shifu package includes a keylogger, a browser hooking and webinject parser mechanism, a screenshot grabber, a certificate harvester, remote access tool (RAT) and bot control modules, application monitoring functionality, and anti-research tools. Additional capabilities can be added via modules downloaded from the command and control (C&C) server.
Dubbed “Shifu,” the Japanese word for thief, the banking Trojan has been around since at least April, and it’s designed to target Japanese banks and select e-banking platforms used in Europe.
Currently, the malware is mainly active in Japan, where it has been used to target the customers of 14 financial organizations.
Researchers say Shifu is a sophisticated Trojan that appears to borrow features from several well-known pieces of malware. The threat uses a domain generation algorithm (DGA) similar to the one of the Shiz Trojan, anti-security and anti-research techniques taken from Zeus VM, a configuration file similar to the one used by Dridex, and stealth techniques from Gozi. The threat also wipes the local system restore point on infected computers just like the Conficker worm did several years ago.
The basic Shifu package includes a keylogger, a browser hooking and webinject parser mechanism, a screenshot grabber, a certificate harvester, remote access tool (RAT) and bot control modules, application monitoring functionality, and anti-research tools. Additional capabilities can be added via modules downloaded from the command and control (C&C) server.
