“Shifu” Banking Trojan Technical Analysis and Solution

The banking trojan “Shifu” was discovered by the IBM counter fraud platform in April, 2015. Built based on the Shiz source code, this trojan employs techniques adopted by multiple notorious trojans such as Zeus, Gozi, and Dridex.


The banking trojan “Shifu” was discovered by the IBM counter fraud platform in April, 2015. Built based on the Shiz source code, this trojan employs techniques adopted by multiple notorious trojans such as Zeus, Gozi, and Dridex. This kind of trojan once mainly targeted 14 banks in Japan and has emerged in Britain since September 22, 2015, attacking at least more than 10 banks. On January 6, 2017, researchcenter.paloaltonetworks.com issued an article, indicating that the author of this trojan refined it in 2016. Specifically, this trojan, at its early stage, obtained system privileges of the attacked host by exploiting the vulnerability assigned CVE-2015-0003, but now achieves this purpose by leveraging the Windows privilege escalation vulnerability assigned CVE-2016-0167.

The sample analyzed in this document is a variant of the “Shifu” trojan. With privileges escalated to the system level by using the embedded system vulnerability exploitation module, this trojan steals users’ login credentials of the online banking business to cause damage.

The following figure shows the timeline of attacks launched via this trojan.


Microsoft Windows is a series of operating systems developed by Microsoft. win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. It contains the window manager which controls window displays, as well as manages screen output.

The kernel-mode device driver contains a privilege escalation vulnerability because it does not properly handle objects in memory. An attacker could exploit this vulnerability to escalate his/her privileges and execute arbitrary code.

The following systems are affected:

  • Microsoft Windows Vista SP2
  • Windows Server 2008 SP2 and R2 SP1
  • Windows 7 SP1
  • Windows1
  • Windows Server 2012 Gold and R2
  • Windows RT 8.1
  • Windows 10 Gold and 1511

Propagation and Infection

  • File binding
  • Email attachment

Sample Analysis

  • Environment
System Windows 7 (32-bit)
Tools ProcessMonitor, Xuetr, Wireshark, OllyDbg, IDA
  • Detection Results of TAC

The following table lists other same-origin samples:

MD5 File Size Risk Level
f25528baf3d68444fa7d7fda382e9835 338948 High
ebf3e72f8b698bbb0d026416d7a75a6a 338948 Medium
e98459c647a6e328c8b65945884ef29a 338948 Medium
  • File Structure

  • Main Functions

[1] Covert attack: Attacks are completed through multiple encryptions and process injections.

[2] Network behavior: The sample collects information (including but not limited to the local time zone, current time, operating system version, antivirus software version, and host name) about local hosts, uploads it to the remote server, and keeps communicating with the remote server to control the user and steal its information.

[3] Sandbox detection: The sample provides anti-debugging and anti-virtual machine (VM) functions. That is, the sample checks whether it is likely to be in the sandbox by comparing file names, process names, user names, and system signatures.

[4] Confrontation with antivirus tools: The sample can detect multiple analysis tools, antivirus software, and sandboxes. When antivirus software is found, this sample enters a sleep infinite loop, exhibiting no malicious behaviors. When a sandbox is detected, this sample terminates the script interpreter, traffic capture tool, binary analysis tool, and other processes, cutting off the interaction between the sandbox and the outside or preventing the sandbox’s automated analysis of this sample.

[5] Persistent attack: This sample, via concealing and self-starting, implements persistent attacks against target hosts, by taking the following actions: injecting svchost.exe for concealing processes and creating JavaScript scripts in the Startup folder on the Start menu for completing self-starting.

The following figure shows the sample execution process.

Functions of this sample are as follows:

  • Decrypting the injector to overwrite the original code.

Code for decrypting the PE file is as follows:

Code for the decryption algorithm is as follows:

The memory attribute at 0x400000 is changed to writable.

The content at 0x400000 is replaced (the address space of the original sample is overwritten and essentially replaced by the injection module).

The function address is changed in IAT:

  • Anti-VM, anti-debugging, and sandbox detection
  • Anti-VM

The sample identifies parameters contained in the command line.

Then this sample searches the process list for target processes, encrypts the names of obtained processes with CRC32, and invokes the RtlComputeCrc32 function.

The sample checks whether such process names indicate specific processes such as vmtoolsd.exe, and then compares these names with hard code that is obtained after specific process names are encrypted with CRC32.


Attack Location

The sample queries the region where each of three DNS servers (,, and used by the actual C&C server is located.

Recommended Solution

  1. NSFOCUS Detection Services
  1. NSFOCUS Solutions for Removing Trojans
  • Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services + NIPS + TAC + Kingsoft V8+ terminal security system) to ensure that risk points are immediately eliminated in the network and the event impact is minimized. After the handling, an event analysis report is provided.
  • Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services (NIPS + TAC + manual services) to eradicate risks and prevent events from recurring.
  • Long-term service: NSFOCUS provides industry-specific risk mitigation solutions (threat intelligence + attack traceback + professional security service).


After using the embedded local system vulnerability exploitation module to escalate its privileges, this sample, with system-level privileges, steals user login credentials of the online banking business to cause harm.

As this sample provides various anti-debugging and analysis and detection means, common antivirus software regards it secure and passes it through. Also, it is able to escape common sandbox detection. Therefore, this sample is dangerous to users.

Using .bit domain names for network communication, this sample is more covert and anonymous, making it difficult to track.


The encrypted data in the original file of the sample is decrypted with the key 0x8D as follows:

Full text download please click:  Shifu Banking Trojan Technical Analysis and Protection Solution



NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:


NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.