New Banking Trojan Is the Best (Worst) of Malware Put-Together, IBM Warns

IBM’s security researchers have discovered a new banking Trojan that they claim is a ‘power patchwork’ of effective, existing malware families – coming together.

At-least 14 banks have been affected by a dangerous new banking Trojan called “Shifu”, a frightening Frankenstein mashup of the most effective tried-and-tested malware around. Dubbed ‘Shifu’ for ‘thief’, the malware focuses on banking institutions in Japan and other banks in the same region, Security Intelligence of IBM revealed.

Security researchers at IBM’s Security X-Force discovered the Trojan and deemed it as a critical and sophisticated threat for its vast array of malicious exploits.

Related article: Ad Fraud Trojan Updates Flash, Blocks Other Malware

The main fraud methods of the Trojan, as detected by the researchers are:

  • Credential grabbing exploits
  • Web injections
  • Certificate theft

The Trojan works by wielding a variety of different real-time threat mechanisms and methods, explains Cybersecurity expert at IBM, Limor Kessem.

“This Trojan steals a large variety of information that victims use for authentication purposes, covering different sorts of authentication. For example, it key logs passwords, grabs credentials that users key into HTTP form data, steals private certificates and scrapes external authentication tokens used by some banking applications.

“These elements enable Shifu’s operators to use confidential user credentials and take over bank accounts held with a large variety of financial service providers,” she writes in a blog post.

Furthermore, Shifu also scans for data from smart cards if and when they’re attached to a smart card reader at the source. The Trojan also has the ability to parse and exfiltrate data from smart cards and can search cryptocurrency wallets to siphon it from the infected end-user.

Things get considerably worse when the malware activates an “anti-virus type feature” yet to be elaborated by the researchers. Once this feature is installed on a target’s machine, it can collect payment data from any transaction if it finds itself on a point-of-sale (POS) endpoint.

The Trojan is a revamped, redesigned coming-together of existing malware families and banking Trojans.

These include:

  • The Shiz Trojan, with its domain generation algorithm.
  • Sandbox disabling and obfuscation from Zeus.
  • Stealth methods and techniques from the Gozi/ISFB Trojan
  • Various other stolen passwords, authentication tokens and certificate keys from multiple Java applets.

IBM researchers speculate that the Trojan could be developed by Russian speakers or natives to countries in the former Soviet Union.

Researchers warn that while the Trojan is currently attacking Japanese banks actively, it is also targeting particular electronic banking platforms in Europe, including countries such as Austria and Germany.