Less than a month after Security Intelligence announced the discovery of the brand-new and highly advanced banking Trojan Shifu, our predictions materialized and the malware has spread from Japan and begun actively attacking U.K. banks and wealth management firms.

Shifu, which is suspected to have been created by Russian-speaking malware authors, only targeted 14 Japanese banks at the time of its discovery and also focused on a select set of electronic banking platforms used across Europe. However, due to the threat’s level of sophistication, IBM Security X-Force researchers predicted it would spread into new territories in the near future. As of Sept. 22, that prediction is a reality, with the U.K. receiving its very own Shifu configuration with 18 new targets.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Shifu Moves to the UK

X-Force researchers confirmed that Shifu is actively attacking online banking customers in order to perform fraudulent transactions.

The Shifu Trojan may be new crimeware, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true Trojan mechanisms from other infamous crimeware codes. It appears that Shifu’s internal makeup is being composed by savvy developers who are intimately familiar with other types of banking malware.

Beyond dressing Shifu with select features from the more nefarious codes known to information security professionals, these developers are already working on internal changes to Shifu. These are designed to ensure the Trojan’s security evasion mechanisms continue to perform.

For example, in its new, U.K.-dedicated samples, Shifu no longer injects into the explorer.exe process. Rather, it has modified its action path to launch a new svchost instance and performs all actions from that process instead.

Infection Campaign Status

Shifu began spreading to U.K.-based endpoints in mid-September 2015, with a few machine infections per day. By Sept. 22, it became clear that an actual infection campaign was taking place and hundreds of endpoints were infected per day.

Although one relatively modest campaign has already taken place, IBM X-Force researchers believe more widespread infection sprees are yet to come in the U.K. This is likely to be followed with future propagation into other parts of Europe and the U.S.

To infect users, online banking and wealth management customers are being led to poisoned websites hosting the Angler exploit kit (EK), likely through links in email spam.

The Shifu crew uses the Angler EK, a commercially available kit sold in the cybercrime underground. This kit emerged in 2013, quickly gaining momentum as an alternative to the infamous BlackHole EK, whose vendors were arrested that year. Angler is rather diverse and effective since it exploits a variety of different code vulnerabilities, including HTML, Java, JavaScript, Adobe Flash and Silverlight, to name a few.

Although Angler is used by many cybercriminals, they all rely on its ability to evade security mechanisms and its multistep attack technique. To keep automated security off its tracks, Angler attacks are based on a redirection scheme that begins with a clean page or advertising banner and eventually lands on an Angler-poisoned page. The victim’s endpoint is then scanned for the corresponding vulnerabilities, followed by exploitation and the eventual payload drop.

As more information about the evolution of the Shifu Trojan develops, be sure to check back for updated findings and reports.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…