Shifu Banking Trojan Spreads to the UK

[Karamjit]

Shifu's creators move operations to Europe

Exactly a month ago, we were writing a very detailed report about a new banking trojan discovered by IBM's Security X-Force team, active at that point only in Japan.

The trojan, named Shifu, the Japanese word for thief, was targeting 14 Japanese banks, and IBM's team was speculating that a Russian APT was behind it.

Now, the same IBM team that's been tracking Shifu's movements warns that, starting with September 22, the Shifu banking trojan has started showing up in the UK, attacking 18 targets, and also sporting a custom configuration that would allow it to do so.

"In its new, U.K.-dedicated samples, Shifu no longer injects into the explorer.exe process," says Limor Kessem of IBM. "Rather, it has modified its action path to launch a new svchost instance and performs all actions from that process instead."

The IBM team also thinks that most infections occur via spam campaigns, when users are redirected to Web pages serving the Angler Exploit Kit.

Just like in Japan, Shifu seems to be going only after banks and wealthcare organizations, being only interested in exfiltrating financial details out of its targets, so the attackers behind the malware can carry on fraudulent transactions with the stolen data.

Shifu has been seen only in Japan and the UK so far, but we should expect it to hit other EU countries as well, and the US especially, the mother lode of all banking fraud campaigns.

From