The banking trojan “Shifu” was discovered by the IBM counter fraud platform in April, 2015. Built based on the Shiz source code, this trojan employs techniques adopted by multiple notorious trojans such as Zeus, Gozi, and Dridex.
The banking trojan “Shifu” was discovered by the IBM counter fraud platform in April, 2015. Built based on the Shiz source code, this trojan employs techniques adopted by multiple notorious trojans such as Zeus, Gozi, and Dridex. This kind of trojan once mainly targeted 14 banks in Japan and has emerged in Britain since September 22, 2015, attacking at least more than 10 banks. On January 6, 2017, researchcenter.paloaltonetworks.com issued an article, indicating that the author of this trojan refined it in 2016. Specifically, this trojan, at its early stage, obtained system privileges of the attacked host by exploiting the vulnerability assigned CVE-2015-0003, but now achieves this purpose by leveraging the Windows privilege escalation vulnerability assigned CVE-2016-0167.
The sample analyzed in this document is a variant of the “Shifu” trojan. With privileges escalated to the system level by using the embedded system vulnerability exploitation module, this trojan steals users’ login credentials of the online banking business to cause damage.
The following figure shows the timeline of attacks launched via this trojan.
Microsoft Windows is a series of operating systems developed by Microsoft. win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. It contains the window manager which controls window displays, as well as manages screen output.
The kernel-mode device driver contains a privilege escalation vulnerability because it does not properly handle objects in memory. An attacker could exploit this vulnerability to escalate his/her privileges and execute arbitrary code.
The following systems are affected:
- Microsoft Windows Vista SP2
- Windows Server 2008 SP2 and R2 SP1
- Windows 7 SP1
- Windows Server 2012 Gold and R2
- Windows RT 8.1
- Windows 10 Gold and 1511
Propagation and Infection
|System||Windows 7 (32-bit)|
|Tools||ProcessMonitor, Xuetr, Wireshark, OllyDbg, IDA|
- Detection Results of TAC
The following table lists other same-origin samples:
|MD5||File Size||Risk Level|
 Covert attack: Attacks are completed through multiple encryptions and process injections.
 Network behavior: The sample collects information (including but not limited to the local time zone, current time, operating system version, antivirus software version, and host name) about local hosts, uploads it to the remote server, and keeps communicating with the remote server to control the user and steal its information.
 Sandbox detection: The sample provides anti-debugging and anti-virtual machine (VM) functions. That is, the sample checks whether it is likely to be in the sandbox by comparing file names, process names, user names, and system signatures.
 Confrontation with antivirus tools: The sample can detect multiple analysis tools, antivirus software, and sandboxes. When antivirus software is found, this sample enters a sleep infinite loop, exhibiting no malicious behaviors. When a sandbox is detected, this sample terminates the script interpreter, traffic capture tool, binary analysis tool, and other processes, cutting off the interaction between the sandbox and the outside or preventing the sandbox’s automated analysis of this sample.
The following figure shows the sample execution process.
Functions of this sample are as follows:
- Decrypting the injector to overwrite the original code.
Code for decrypting the PE file is as follows:
Code for the decryption algorithm is as follows:
002C0564 3B75 64 cmp esi,dword ptr ss:[ebp+0x64]
002C0567 75 0D jnz short 002C0576
002C0569 0375 68 add esi,dword ptr ss:[ebp+0x68]
002C056C 037D 68 add edi,dword ptr ss:[ebp+0x68]
002C056F 2B4D 68 sub ecx,dword ptr ss:[ebp+0x68]
002C0572 85C9 test ecx,ecx
002C0574 74 12 je short 002C0588
002C0576 AD lods dword ptr ds:[esi]
002C0577 50 push eax
002C0578 2D BB462156 sub eax,0x562146BB
002C057D 90 nop
002C057E 90 nop
002C057F 33C2 xor eax,edx
002C0581 5A pop edx
002C0582 AB stos dword ptr es:[edi]
002C0583 83E9 03 sub ecx,0x3
002C0586 ^ E2 DC loopd short 002C0564
The memory attribute at 0x400000 is changed to writable.
The content at 0x400000 is replaced (the address space of the original sample is overwritten and essentially replaced by the injection module).
The function address is changed in IAT:
- Anti-VM, anti-debugging, and sandbox detection
The sample identifies parameters contained in the command line.
Then this sample searches the process list for target processes, encrypts the names of obtained processes with CRC32, and invokes the RtlComputeCrc32 function.
The sample checks whether such process names indicate specific processes such as vmtoolsd.exe, and then compares these names with hard code that is obtained after specific process names are encrypted with CRC32.
The sample queries the region where each of three DNS servers (220.127.116.11, 18.104.22.168, and 22.214.171.124) used by the actual C&C server is located.
- NSFOCUS Detection Services
- NSFOCUS engineers provide onsite detection services.
- NSFOCUS provides online cloud detection services. You can visit the following link to apply for the trial use of NSFOCUS Threat Analysis Center (TAC): https://cloud.nsfocus.com/#/krosa/views/initcdr/productandservice?service_id=1018
- NSFOCUS Solutions for Removing Trojans
- Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services + NIPS + TAC + Kingsoft V8+ terminal security system) to ensure that risk points are immediately eliminated in the network and the event impact is minimized. After the handling, an event analysis report is provided.
- Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services (NIPS + TAC + manual services) to eradicate risks and prevent events from recurring.
- Long-term service: NSFOCUS provides industry-specific risk mitigation solutions (threat intelligence + attack traceback + professional security service).
After using the embedded local system vulnerability exploitation module to escalate its privileges, this sample, with system-level privileges, steals user login credentials of the online banking business to cause harm.
As this sample provides various anti-debugging and analysis and detection means, common antivirus software regards it secure and passes it through. Also, it is able to escape common sandbox detection. Therefore, this sample is dangerous to users.
The encrypted data in the original file of the sample is decrypted with the key 0x8D as follows:
> %1\r\ndel %0
rundll32.exe shell32.dll, ShellExec_RunDLL %s
Content-Type: multipart/form-data; boundary=---------------------------%s\r\n
netstat\nProto\tLocal address\tRemote address\tState\n
%d\t%s\ntaskmgr\nPID\tProcess name\nnet user\n
the computer is joined to a domain\n..
%s = new ActiveXObject("WScript.Shell"); %s.Run("%s");
open "%s" -q%windir%\\system32\\sdbinst.exe
/c "start "" "%s" -d"
"%s" -u /c "%s\\SysWOW64\\SysSndVol.exe /c "start "" "%s" -d"
/c start "" "%s" " "
Full text download please click: Shifu Banking Trojan Technical Analysis and Protection Solution
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.