Shifu banking Trojan arrives in the UK, warns IBM

Russian-crafted banking malware spreads from Japan to UK - Europe and the US next on the menu

IBM Security X-Force has warned that the Shifu banking Trojan, which had been observed in Japan attacking the Japanese financial sector, has been identified "in the wild" in the UK.

It comes less than a month after IBM security researchers identified the malware in Japan. The company claims the Trojan has been targeted at UK financial institutions with a bespoke configuration aimed at 18 new targets.

IBM claims that it is "actively attacking online banking customers in order to perform fraudulent transactions".

According to IBM Trusteer cyber security evangelist Limor Kessem, "the Shifu Trojan may be new crimeware, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true Trojan mechanisms from other infamous crimeware codes. It appears that Shifu's internal makeup is being composed by savvy developers who are intimately familiar with other types of banking malware."

She continues: "Beyond dressing Shifu with select features from the more nefarious codes known to information security professionals, these developers are already working on internal changes to Shifu. These are designed to ensure the Trojan's security evasion mechanisms continue to perform.

"For example, in its new, UK-dedicated samples, Shifu no longer injects into the explorer.exe process. Rather, it has modified its action path to launch a new svchost instance and performs all actions from that process instead."

The malware started spreading in the UK in mid-September with just "a few machine infections per day". While the campaign, formally identified on 22 September, is modest, IBM X-Force researchers have warned that a more widespread attack is likely to follow, with the rest of Europe and the US also likely in the attackers' sights.

"To infect users, online banking and wealth management customers are being led to poisoned websites hosting the Angler exploit kit (EK), likely through links in email spam," warns Kessem.

"The Shifu crew uses the Angler EK, a commercially available kit sold in the cybercrime underground. This kit emerged in 2013, quickly gaining momentum as an alternative to the infamous BlackHole EK, whose vendors were arrested that year. Angler is rather diverse and effective since it exploits a variety of different code vulnerabilities, including HTML, Java, JavaScript, Adobe Flash and Silverlight, to name a few.

"Although Angler is used by many cybercriminals, they all rely on its ability to evade security mechanisms and its multistep attack technique. To keep automated security off its tracks, Angler attacks are based on a redirection scheme that begins with a clean page or advertising banner and eventually lands on an Angler-poisoned page. The victim's endpoint is then scanned for the corresponding vulnerabilities, followed by exploitation and the eventual payload drop."