SECURITY RESEARCH HAS FOUND a banking trojan called Shifu that is going after Japanese financial firms in a big way.
Shifu is described as "masterful" by IBM X-Force, and is named after the Japanese word for thief, according to the firm. It is also the Chinese word for skilled person, or tutor.
X-Force said in a blog post that the malware has been active since the early summer, and comprises a number of known tools like Dyre, Zeus and Dridex. It has been put together by people who know what they are doing, and sounds like a significant problem for the 20 institutions it is targeting.
"The Shifu trojan may be a new beast, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true trojan mechanisms from other infamous crimeware codes," said the IBM researchers.
"It appears that Shifu's internal makeup was composed by savvy developers who are quite familiar with other banking malware, dressing Shifu with selected features from the more nefarious of the bunch."
The Shifu package offers a range of attack features as well as clean-up tools to cover its tracks. It reads like a Now that's what I call ... recent attacks compilation CD, and has some oldies but baddies.
"Shifu wipes the local System Restore point on infected machines in a similar way to the Conficker worm, which was popular in 2009," added the firm as one example.
The package can wreak havoc on companies and their users. If we had a bucket of damp sand we would pour it all over Shifu and stamp on it.
"This trojan steals a large variety of information that victims use for authentication purposes. For example, it keylogs passwords, grabs credentials that users key into HTTP form data, steals private certificates and scrapes external authentication tokens used by some banking applications," said IBM.
"These elements enable Shifu's operators to use confidential user credentials and take over bank accounts held with a large variety of financial service providers.
"Shifu's developers could be Russian speakers or native to countries in the former Soviet Union. It is also possible that the actual authors are obfuscating their true origin, throwing researchers off by implicating an allegedly common source of cybercrime." µ
Someone could be in for a NASty surpise
An assault course on the senses
Boasting Bionic boosting