In a blog written by cybersecurity evangelist Limor Kessem on the Security Intelligence website, IBM X-Force confirms their prediction that Shifu would soon pose a major threat beyond Japan.
It has now identified a new configuration of banking malware Shifu that targets 18 banking and wealth creation companies. While this would be considered a rapid evolution for most malware, Shifu is not only a highly advanced piece of malware but one that has been crafted by a set of very sophisticated cybercriminals.
Banking malware Shifu from Russia without love
Shifu is believed to have originally been written by a group of Russian-speaking malware authors. When it was first discovered it was a surprise that it had been targeted at the Japanese banking system. Russian-speaking cybercriminals have been waging war against high profile supporters of the embargo against Russia after its invasion of Ukraine. The majority of the malware launched by Russian-speaking cybercriminals in the past two years has been targeted at the US and Western European countries.
According to Kessem the authors of Shifu are no strangers to banking malware. They appear to have drawn on their experience of previously successful banking malware in order to craft Shifu. Not content with taking the best from successful malware, they have also added some interesting sophistication to the internals of Shifu. These are believed to include self-morphing code that makes it hard to detect and a change to the way it infects target computers.
Kessem says: “In its new, U.K.-dedicated samples, Shifu no longer injects into the explorer.exe process. Rather, it has modified its action path to launch a new svchost instance and performs all actions from that process instead.” This change of behaviour means that it has a higher change of evading detection as it will be seen as a valid system process by a lot of security software.
Infection rates picking up quickly
IBM X-Force first detected the UK variant of Shifu in mid-September. By September 22nd, Kessem reports that: “IBM was detecting hundreds of endpoint infections per day.” The blog states that: “IBM X-Force researchers believe more widespread infection sprees are yet to come in the U.K. This is likely to be followed with future propagation into other parts of Europe and the U.S.”
This is a common pattern which has been seen before. The question is how fast will the next wave of attacks occur? Given that it has taken the cybercriminals less than a month to move from Japan to the UK it is highly likely that we can expect to see infections across Europe and the US in the next month.
In order to infect users, they are redirected to a website that has previously been infected with the commercial Angler exploit kit. Interestingly, Kessem says that it is often not the first website that users are directed to that contains the exploit. Instead they are redirected through a constantly changing network of sites until they reach one that drops the infected code onto their computer.
This is not the last we will hear about Shifu. There are several major online shopping days coming up in the build up to Halloween and Christmas. A fast response by the team behind Shifu could quickly yield them significant revenue.
The question is whether this level of sophistication and speed of evolution is a one-off or does it herald a new phase in the constant war by cybercriminals?