Quantcast
Viewing all articles
Browse latest Browse all 185

Shifu




I noticed since several days a shift in malware distribution in the UK.
Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.

First time I encountered that threat : 2014-10-08

Image may be NSFW.
Clik here to view.
Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path
2014-10-08
At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.

So two days ago in UK traffic :

Image may be NSFW.
Clik here to view.
2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422
via malvertising on GBR traffic
I saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,

Image may be NSFW.
Clik here to view.
Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 
2015-09-22


Image may be NSFW.
Clik here to view.
Apache Config



Image may be NSFW.
Clik here to view.
Data folder of the Apache installation



Customers of 4 financial institutions are targeted by the injects stored in the config.xml

Image may be NSFW.
Clik here to view.
config.xml
The same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:

Image may be NSFW.
Clik here to view.
Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83
2015-09-22

Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu..and fast confirmed it looking at the sample.

So here we are: Shifu <3 GBR

Image may be NSFW.
Clik here to view.
Shifu <3 GBR
2015-09-24
Side note : Here are some of the DGA in case main domain stop working.

Files :ShifuPackage_2015-09-24.zip Password : malware

Image may be NSFW.
Clik here to view.
Contains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).

Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.

Read More:
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-Force
Japanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfee

Viewing all articles
Browse latest Browse all 185