“Shifu” Banking Trojan – Technical Analysis and Recommendations
January 27, 2017
By: NSFOCUS Security Labs
The banking Trojan “Shifu” was discovered by the IBM counter fraud platform in April, 2015. Built on the Shiz source code, this Trojan employs techniques adopted by multiple notorious Trojans such as Zeus, Gozi, and Dridex. This particular Trojan targeted 14 banks in Japan and re-emerged in Britain compromising 10 banks on September 22, 2015. On January 6, 2017, Palo Alto Networks issued an article indicating that the author of this Trojan re-engineered the exploit in 2016. Specifically, this Trojan at its early stage obtained system privileges of the attacked host by exploiting the vulnerability CVE-2015-0003, but now achieves its purpose by leveraging the Windows privilege escalation vulnerability CVE-2016-0167.
The sample discussed in this document is a variant of the “Shifu” Trojan with privileges escalated to the system level by using the embedded system vulnerability exploitation module. Moreover, this Trojan steals users’ login credentials of the online banking business to cause damage, commit fraud, and propagate the exploit.
Microsoft Windows employs the kernel-mode device driver win32k.sys and serves as a major operating component to the Windows subsystem. It contains the window manager which controls window displays, as well as manages screen output. The kernel-mode device driver contains a privilege escalation vulnerability because it does not properly handle objects in memory. Moreover, an attacker could exploit this vulnerability to escalate his/her privileges via execution of arbitrary malicious code.
The following operating systems are susceptible to the attack:
- Microsoft Windows Vista SP2
- Windows Server 2008 SP2 and R2 SP1
- Windows 7 SP1
- Windows 8.1
- Windows Server 2012 Gold and R2
- Windows RT 8.1
- Windows 10 Gold and 1511
The following figure specifies the timeline of the attacks launched via this specific Trojan, in addition to NSFOCUS security team investigation.
Propagation and Infection
- File binding
- Email attachment
a.) Covert attack – Attacks are completed through multiple encryptions and process injections.
b.) Network behavior – Collects information (including but not limited to the local time zone, current time, operating system version, antivirus software version, and host name) about local hosts, uploads it to the remote server (C&C), and keeps communicating with the remote server to monitor the user and steal their information.
c.) Sandbox detection – Supports anti-debugging and anti-virtual machine (VM) functions. Moreover, it is likely to be executed within a sandbox by comparing file names, process names, user names, and system signatures.
d.) Confrontation with antivirus tools – The ability to detect various analysis tools, antivirus software, and sandboxes. When antivirus software is found, this malware enters a sleep infinite loop, exhibiting no malicious behaviors. When a sandbox is detected, the malware sample terminates the script interpreter, traffic capture tool, binary analysis tool, and other processes; cutting off the interaction between the sandbox and the outside, or preventing the sandbox’s automated analysis of this sample.
The following figure shows the sample execution process:
Functions of this sample are as follows:
- Decrypting the injector to overwrite the original code.
- Determines whether DebugPort and ExceptionPort are occupied to validate whether the sample is in the remote debugging state.
- A comparison is made between the CRC32 checksum of the file name and the following values in the sample (new names are assigned by common sandboxes in this sample):
- If the preceding processes are running, they are terminated (ending the internal control of the sandbox). If the sample runs in the Windows XP (32-bit) environment, it enters a sleep loop.
- If a threat exploits one or more network services, disable, or block access to those services until a patch is applied.
- Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
- Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
- Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
- Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif, and .scr files.
- Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
- Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
The ‘Shifu’ malware supports a locally embedded system exploitation module that escalate¬s ¬user privileges and steals user login credentials of publicly accessible online banking business for nefarious purposes. Additionally, obfuscation occurs when various anti-debugging and analysis detection capabilities try to recognize the exploit. Common antivirus software and sandbox detection efforts are also powerless in defending, or identifying this particular malware strain.