This is the first installment in an ongoing series about banking malware that faded away in 2017.

Cybercrime is a very dynamic threat landscape. With over 100 million malware strains tracked by AV-TEST in 2016, malware can be a dime a dozen. When it comes to the more organized cybercrime groups and sophisticated banking Trojan projects, malware families are more defined and easy to recognize. These threats advance at a trackable pace and their targets are regularly monitored by IBM X-Force.

Gang-owned malware helps its operators steal untold amounts of money. These codes do not typically go away without a publicly visible reason, such as a shutdown by law enforcement. However, there are some notable exceptions.

According to IBM X-Force data, a few major cybercrime groups did crawl out of the spotlight slowly and for no apparent external reason in 2017. Some names that come to mind are Shifu, Tinba, Neverquest, Qadars and GozNym. Where were these malware codes before, and where are they today?

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Tracking the Shifu Trojan

Shifu is a sophisticated banking Trojan that was discovered by X-Force Research in August 2015. According to X-Force analysis of Shifu’s code, this malware borrowed some of its central mechanisms and configuration style from other well-known banking Trojans, such as Shiz, Gozi, Zeus and Dridex. This brought it to a highly functional level right from the moment of its release. At the time of discovery, Shifu’s targets were found to be mostly in Japan, but it didn’t take long for the malware to spread to banks in the U.K. and other parts of Europe.

With unique code mesh and advanced data theft capabilities, it was evident to X-Force researchers that Shifu was created by malware veterans. This suspicion was reinforced by its configuration files that targeted business and wealth management accounts, alluding to the operators’ ability to steal and cash out heftier sums than schemes targeting consumers. This is yet another characteristic of an organized and resource-backed group.

Bouts of Activity in Japan and the UK

X-Force monitoring of Shifu’s activity showed it was quite active in 2016, leveraging the Angler exploit kit to spread around during the months following its release. The operators were starting to collaborate with underground vendors that supplied webinjections to other gangs and used them to launch intermittent attack campaigns in Japan and the U.K. Shifu evidently had friends in the right places.

An Upgrade in Early 2017

Shifu’s developers worked on the code through 2016, adding modified functionality for infected endpoints outside of Japan. By January 2017, Shifu received its first major upgrade, proving that much more work was underway for the Trojan.

Meaningful modifications included exploiting different Windows mechanisms for privilege escalation and a move to Namecoin and Dot-Bit domains for botnet communications. This ingenious trick to evade censorship and law enforcement was previously observed in the Necurs botnet.

This choice was yet another hint as to Shifu’s network of friends in the cybercrime arena. It also reinforced Shifu’s striking resemblance to the Shiz banking Trojan, which disappeared in 2014 and most likely served as the inspiration and source for Shifu’s code. According to X-Force Research, Shiz used to target banks in Russia, and its developer was likely located in Ukraine. This would be indicative of Shifu’s origin as well.

Shifu Malware Dying Out?

Shifu seemed to be very focused on two main geographies — Japan and the U.K. — and was evolving steadily before it suddenly started fading out. After technical modifications were introduced into the code starting in June 2016, X-Force Research was surprised to see Shifu’s activity wane significantly with each passing month since.

Looking at X-Force data from the past 12 months, we can see that Shifu’s campaigns were very small throughout the entire period. We also detected a continuous downward trend in attempted infections, which signified that the gang had stopped launching infection campaigns altogether.


Figure 1: Shifu trend of infection attempts on clean endpoints (Source: IBM X-Force)

Beyond the decline in attempted attacks, the Shifu malware operators seem to have stopped trying to access victims’ bank accounts. That activity started tapering off in April 2017 after a continued decline that started in August 2016.


Figure 2: Shifu trend of attempted illicit access on infected endpoints (Source: IBM X-Force)

Due to the limited attack scope that kept Shifu focused on Japan and the U.K., the malware never made X-Force Research’s list of the top 10 banking Trojans. It was, however, one of the top-ranking malware threats in Japan in August 2016, alongside names such as Rovnix, Neverquest, Gozi, Zeus and URLZone.

Gone — For Now

What made Shifu fade out this way? Is it safe to assume that Shifu is gone for good? These questions can only be answered with some educated speculation.

Shifu was likely operated by a cybercrime group that was either located in Japan or had ties to local organized crime in the region. With that, parts of Shifu’s code and configuration, as well as its apparent alliances in the cybercrime area, suggest that it originated in Eastern Europe, most likely Ukraine. It’s possible that the parties that collaborated on the code development and operational sides did not match in experience and capability. As a result, although it is a highly sophisticated piece of malware, Shifu remained rather limited throughout its lifespan.

It’s also possible that Shifu’s operators chose to fly under the radar. In doing so, they limited their success rates and eventual profits from Shifu. That might have chipped away at the gang’s resources and eventually caused it to close shop. This is not to exclude the possibility of an internal feud between the gang’s leaders or even a looming law enforcement operation that spooked Shifu’s operators.

Will Shifu be back? My personal guess is that it will return. Just as Shifu’s code included parts of other malware, codes such as Shifu are often sold to other gangs for hefty sums of money or used in different collaborations among cybercriminal groups. Shifu is likely a reincarnation of Shiz. As such, it can be reappropriated and refitted with new configurations to attack in other regions. With this, the circle of cybercrime is complete.

X-Force Research is keeping its eye on any further Shifu developments, so stay tuned. The Shifu collection on X-Force Exchange will also reflect indicators of compromise (IoCs) and information on Shifu malware if it rises again.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today