I noticed since several days a shift in malware distribution in the UK.
Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.
First time I encountered that threat : 2014-10-08
| Image may be NSFW. Clik here to view.  |
| Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path 2014-10-08 |
So two days ago in UK traffic :
| Image may be NSFW. Clik here to view.  |
| 2015-09-22 - An Angler EK dropping 0598ee3e06c681d7f9e05d83bb7ea422 via malvertising on GBR traffic |
| Image may be NSFW. Clik here to view.  |
| Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 2015-09-22 |
| Image may be NSFW. Clik here to view.  |
| Apache Config |
| Image may be NSFW. Clik here to view.  |
| Data folder of the Apache installation |
Customers of 4 financial institutions are targeted by the injects stored in the config.xml
| Image may be NSFW. Clik here to view.  |
| config.xml |
| Image may be NSFW. Clik here to view.  |
| Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83 2015-09-22 |
Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu..and fast confirmed it looking at the sample.
So here we are: Shifu <3 GBR
| Image may be NSFW. Clik here to view.  |
| Shifu <3 GBR 2015-09-24 |
Files :ShifuPackage_2015-09-24.zip Password : malware
| Image may be NSFW. Clik here to view.  |
| Contains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects). |
Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.
Read More:
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-Force
Japanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfee