IBM Security X-Force identified a new advanced banking Trojan, possibly of Russian origin, that is attacking 14 Japanese banks and other financial institutions.
Dubbed Shifu by the IBM team, the Japanese word for thief, the malware may have been active since April 2015, but was recently revealed by IBM Security antifraud platforms, the X-Force report stated.
“Right now Shifu is targeting 14 Japanese banks and as well as select electronic banking platforms used across Europe, including Austria and Germany. At this time, only Japan is seeing active attacks using Shifu in the wild. However, we've often seen malware evolve its capabilities to target new regions and geographies,” the IBM X-Force team told SCMagazine.com in a Tuesday email.
The malware uses a mix of old and new technology, including pieces of code from shiz, Gozi, Zeus and Dridex, and even features anti-virus protection giving it the ability to lock out other malware ensuring that only the gang responsible can reap the attack's benefits.
While the current targets are all located in Japan, the IBM team found evidence the originators intend to spread it to other locales.
Shifu is designed to defraud bank accounts and target payment card data.
“This Trojan steals a large variety of information that victims use for authentication purposes, covering different sorts of authentication. For example, it keylogs passwords, grabs credentials that users key into HTTP form data, steals private certificates and scrapes external authentication tokens used by some banking applications,” the IBM report stated.
Shifu also comes with a variety of defensive measures based on the older malware that it uses, such as the ability to wipe system restore, which is similar to how the Conficker worm operated.
Another devious tool is installing its own anti-virus solution to fend off other malware. In the same manner a lion protects its kill, Shifu stops the installation of malware and then takes the extra step of tracking the other malware so Shifu's owners know what its competitors are up to.
IBM said it believes the attack is likely Russian or native to another former Soviet republic from bits of information found on the scripts that are written in Russian, although the Big Blue team did not discount that it was also part a smokescreen left by the trackers to cover their tracks.