Shifu – Cybercrime's Newest Banking Malware Terror
Generally speaking, we see the greatest data security measures taken by the largest organizations, such as government offices, medical organizations, and financial institutions. The thing is, often these organizations aren’t doing enough or have outdated data security policies in place. Many of these outdated risk management policies add fuel to the fire. The new generation of hackers continues to develop increasingly powerful and invasive viruses and malware that penetrate the seemingly secure frameworks of larger enterprises.
“The Frankenstein of Trojans,” said Limor Kessem, Senior IBM Security Evangelist
A new, advanced banking Trojan has been afflicting banking institutions in Japan. “Shifu,” the “masterful” new banking malware discovered by IBM Red Cell of the IBM Security X-Force, has been active since April of 2015. IBM Security X-Force works to monitor vulnerabilities and reveal suspicious threats, including active attacks, viruses, malware, phishing, spam, and malicious web content. Their IBM Red Cell team is a security task force working specifically within the financial sector.
Shifu, which is the Japanese word for “thief,” is dangerous in that is has the capability to steal a large variety of delicate information. Being that its primary target is banking and financial institutions, Shifu steals a wide-range of banking related data, including usernames, passwords, statements of financial accounts, information that users would key into the HTTP forms, private certificates, and external authentication tokens. Therefore, with all of this vital customer information, Shifu has been able to attack and take over numerous customer bank accounts at several Japanese banks.
Shifu’s attacks are primarily targeting 14 banks in Japan, though it has also gone after select banking platforms present in Europe, including Austria, Germany, and other countries in Europe. However, Japan is the only country that is currently facing frequent active attacks brought on by Shifu.
The “highly sophisticated banking Trojan” has elements and features that were present in the modules of older Trojans. In other words, the developers behind Shifu have been able to combine features from past Trojans to create the powerful-patchwork that is Shifu. Specific older Trojans that Shifu took elements from include Shiz, Gozi, Zeus and Dridex.
IBM found that the Domain Generation Algortihm utilized by Shifu to generate random domain names for botnet communications, is the same exact one found in the Shiz malware. Shifu’s mechanism to steal passwords, authentication tokens, and other sensitive data and credentials from infected machines is nearly identical to the Corcow banking malware, which was first deployed in 2014; the Corcow Trojan targeted banks in Russia and Ukraine. Furthermore, Shifu’s ability to disable anti-virus software is a capability that was originally found on the Zeus banking Trojan. Additionally, Shifu utilizes a command execution method that was first employed by the Gozi Trojan, which allows the malware to remain hidden within the Windows file system. To no surprise, Shifu also employs mechanisms from the Conficker worm that was deployed in 2009. Also, Shifu possesses the cunning ability to cover its tracks on infected machines by wiping the local System Restore point, a mechanism first deployed by the Conficker worm in 2009.
When considering the techniques and mechanisms employed by Shifu, Limor Kessem, the senior IBM security evangelist, dubbed Shifu the “Frankenstein of Trojans.” Hence, the creators of Shifu have taken specific powerful elements of past Trojans, combined them with modern innovative features, and created a malicious and monstrous banking Trojan. Furthermore, one of the unique features of Shifu is its anti-virus-like mechanism that scans and prevents other malware from infecting the same machine. Therefore, if incoming files are from an unprotected HTTP connection or if they are unsigned, then Shifu blocks the files from afflicting the machine. The system attempting to execute and upload the malicious file to the machine infected by Shifu receives an “out of memory” message, disallowing the file from being downloaded. It is one of the first Trojans to block other malware from infecting a Shifu-infected machine.
Another capability of Shifu, is its ability to steal data from smartcards. Moreover, if Shifu discovers that a smartcard reader is attached to the compromised endpoint, then the Trojan can search for and steal from the “cryptocurrency” wallets on infected systems. Additionally, If Shifu detects that it has landed on a POS system (Point of Sale System), it will proceed to steal the payment card information.
Although the exact origin of this powerful banking Trojan is unknown, analysts have discovered Russian lexicon in the code and believe it has ties to Russian hackers. At the moment, the Shifu Trojan seems to be confined to banks in Japan, though nothing seems to suggest that the banking Trojan is incapable of expanding its attacks to banking and financial institutions in other regions.
When we consider the potential risks to financial institutions across the globe that a Trojan like Shifu can have, it’s important to implement substantial security measures that have the power to defend against such threats. Although there are several ways to go about protecting sensitive information, such as hiring an IT security management company, perhaps the easiest and most effective method is to protect the devices that store the data in the first place.
Kanguru, is an industry leader in data security, and has developed a powerful line of secure data storage devices capable of protecting even the most sensitive information from attacks like Shifu. The following features are available on Kanguru Defender® USB data storage drives:
- Onboard Anti-Virus Software
- AES 256-bit Hardware Encryption
- FIPS 140-2 Certification
- Secure Firmware (protects from malware)
- Physical Write Protect Switch
- TAA Compliance
- Brute-Force Protection and Tamper-proof design
With Kanguru's newest secure USB storage devices, the new Defender Elite300™ and Defender 3000™, Kanguru has created one of the most secure USB data storage devices available on the market today. The level 3 and level 2 FIPS 140-2 certified flash drives are recognized by the NIST (National Institute of Standards and Technology) and CSE (Communications Security Establishment) as powerful data storage that has the ability to prevent unauthorized access, malware attacks, and physical tampering. Both the Defender 3000™ and Defender Elite300™ have AES 256-bit hardware encryption (XTS Mode), along with On-Board Anti-Virus software and built-in secure firmware, adding multiple layers of security to the encrypted device.
The complete line of Kanguru storage devices is immune to even the most powerful threats, such as the infamous “BadUSB.” The secure firmware within the Kanguru secure data storage devices are perfect for organizations both large and small, and surpass even the most stringent federal, healthcare, and financial industry regulations around the world.
For financial institutions, the rising threat of the Shifu malware presents risks that many security measures cannot prevent. However, the sensitive data can be protected with a highly secure, encrypted data storage device management system that prevents unauthorized access and malicious attacks – one of Shifu’s known methods of entry.
With Kanguru secure USB data storage drives and Remote Management, organizations can protect against such dangers.
Kanguru is a global leader in offering state-of-the-art data security management solutions to banking, government, educational institutions, and consumers. Kanguru continues to develop breakthrough data encryption products to safeguard against unforeseen data breaches. For more information on Kanguru, please visit www.kanguru.com.