I noticed since several days a shift in malware distribution in the UK.
Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.
First time I encountered that threat : 2014-10-08
|Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path|
So two days ago in UK traffic :
|2015-09-22 - An Angler EK dropping 0598ee3e06c681d7f9e05d83bb7ea422 |
via malvertising on GBR traffic
|Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 |
|Data folder of the Apache installation|
Customers of 4 financial institutions are targeted by the injects stored in the config.xml
|Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83 |
Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)
So here we are: Shifu <3 GBR
|Shifu <3 GBR|
Files : ShifuPackage_2015-09-24.zip Password : malware
|Contains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).|
Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-Force
Japanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfee
Post publication Reading:
3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign 2015-09-30 - Trenmicro
Banking Malware GBR Shifu Angler EK