I noticed since several days a shift in malware distribution in the UK.
Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.

First time I encountered that threat : 2014-10-08

Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path
At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.

So two days ago in UK traffic :

2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422
via malvertising on GBR traffic
I saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,

Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 

Apache Config

Data folder of the Apache installation

Customers of 4 financial institutions are targeted by the injects stored in the config.xml

The same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:

Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83

Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)

So here we are: Shifu <3 GBR

Shifu <3 GBR
Side note : Here are some of the DGA in case main domain stop working.

Files : ShifuPackage_2015-09-24.zip Password : malware

Contains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).

Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.

Read More:
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-Force
Japanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfee

Add a comment