The Shifu banking trojan combines a number of malware tools, particularly the Shiz source code.
The Shifu banking trojan combines a number of malware tools, particularly the Shiz source code.

A banking trojan that debuted in 2015, striking more than a dozen banks in Japan, is back, this time with a wider reach, according to an analysis from Palo Alto Networks.

When it was first dissected, the Shifu banking trojan was seen to combine aspects from a number of malware tools, particularly the Shiz source code, first discovered in 2006, which itself appropriated pieces of the notorious Zeus. When first employed, the malware siphoned out banking-related data, including usernames and passwords to financial accounts, credentials keyed into HTTP forms, private certificates, and external authentication tokens used by a number of financial institutions.

Some of the new strategies employed by the Shifu banking trojan include:

  • Exploitation of CVE-2016-0167, a Microsoft Windows Privilege Escalation vulnerability to gain SYSTEM level privileges. Earlier versions of Shifu exploited CVE-2015-0003 to achieve the same goal;
  • Use of a Windows atom to identify if the host is already infected with Shifu in addition to the mutex used by previous versions;
  • Use of “push-calc-ret” API obfuscation to hide function calls from malware analysts; and
  • Use of alternative Namecoin .bit domains.

Source: Palo Alto Networks

And now a new evolution of the trojan has been detected by the Palo Alto Networks Unit 42 research team. It is hitting targets all over the globe and incorporates a number of new techniques to infect and evade detection on Microsoft Windows systems, the report said.

The researchers also uncovered clues, specifically links between Shifu and assorted other tools, that indicate that this is not merely a remodeling based on the Shiz trojan, but rather an evolution of Shiz that delivers a number of payloads.

The loaders employ several layers of decryption while injecting their exploits. Based on a detected time stamp, the researchers surmised that the miscreants behind this Shifu iteration had access to the zero-day exploit at that time or soon gained access to it.

Examination of the code revealed the use of several "anti-analysis tricks" that the researchers said bore similarities to previous versions. Perhaps more troubling, they also uncovered two command line parameters with functionality that indicates the malware is still in development.

Further, the researchers found a second stage injector that uses an atom to verify if a system is already infected, rather than using a mutex, as most malware does. While not new, this strategy is not in common use, the researchers said.

Also new is the ability for the malware's strings to examine a victim's system, its browser target list and its bot commands.

Having tracked Shiz over the past several years and observed its use of several ancillary malware tools, the researchers conclude that not only is the same author or group behind this scourge – evidence points to an actor in the Ukraine –  but the perpetrators have assembled a set of financial-related malware in their arsenal. What ties the pieces together, the researchers said, was the consistent use across all iterations that use a PDB path that has the same root folder. 

When asked how these attackers continue to alter their coding, Dominik Reichel, threat intelligence analyst, Unit 42, Palo Alto Networks, and author of the report, told SC Media on Monday that the attackers put most of their efforts in changing the outer levels of the trojan, meaning the obfuscated loader and the second stage injector. "This was most likely done to make the main payload undetectable by current security solutions and that seems to have been successful given that others haven't detected this new Shifu version."

As for the main payload, the attackers only did minor changes compared to the previous version, he said. "For example, they updated the code to support also hooking of the new Microsoft Edge browser."

Of interest with this Shifu version, Reichel pointed out, is the exploit for CVE-2016-0167 it used. "It seems the code for this exploit was sold or shared in the underground since we have found several versions and modifications of that exploit," he told SC, adding that he and his team have also found another malware (Vawtrak) which uses an earlier version of the exploit.

The full analysis is here.