Shifu (named after the Japanese word for thief) is targeting 14 Japanese banks as well as electronic banking platforms used across Europe, according to security researchers from IBM Trusteer.
Shifu is made up of powerful pieces of code from leaked (discarded and arguably dead) malware variants. Some of Shifu’s features and modules were borrowed from other banking Trojans’ leaked source codes, including Shiz, Gozi, Zeus and Dridex.
Once installed, Shifu keylogs passwords, grabs credentials that users key into HTTP form data, steals private certificates and scrapes external authentication tokens used by some banking applications.
It uses web injections to fool users of infected machines. Shifu scans, parses and exfiltrates data from smartcards once a reader is connected to on an infected endpoint. The trojan also lifts any cryptocurrency wallets found on infected devices.
Shifu comes pre-configured to lift payment card data from compromised retail networks. The malware scans infected endpoints for strings that may indicate it has landed on a point of sale (POS) terminal. Once planted on a cash machine, Shifu deploys a RAM scraping plugin to collect payment card data.
In addition, Shifu comes with security tools designed to prevent other malware from installing on a newly infected machine. The malware wants exclusive control of compromised systems.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now