2015-09-24 - Geo-Focus
Shifu <3 Great Britain
I noticed since several days a shift in malware distribution in the UK.
Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.
First time I encountered that threat : 2014-10-08
Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path 2014-10-08 |
So two days ago in UK traffic :
2015-09-22 - An Angler EK dropping 0598ee3e06c681d7f9e05d83bb7ea422 via malvertising on GBR traffic |
Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 2015-09-22 |
Apache Config |
Data folder of the Apache installation |
Customers of 4 financial institutions are targeted by the injects stored in the config.xml
config.xml |
Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83 2015-09-22 |
Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)
So here we are: Shifu <3 GBR
Shifu <3 GBR 2015-09-24 |
Files : ShifuPackage_2015-09-24.zip Password : malware
Contains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects). |
Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.
Read More:
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-Force
Japanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfee
Post publication Reading:
3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign 2015-09-30 - Trenmicro