In recent weeks, McAfee Labs has analyzed a recently discovered banking Trojan that combines elements from multiple malware tools. Shifu has circulated since April, and attacks primarily Japanese banks.
Installation
This malware arrives as a file dropped by other malware or as a file downloaded unknowingly by users when visiting compromised sites. Upon installation the malware drops the following files:
- %All Users Profile%\Application Data\{random}.tmp.bat
- %Application Data%\{random characters}. Contains logs of running applications and accessed applications
It drops and executes the following files:
- %All Users Profile%\Application Data\{random}.exe
The malware creates a run registry entry to execute itself every time Windows starts: HKCU\Software\Microsoft\Windows\CurrentVersion\RunMcAfeePowerAgent9 = rundll32.exe shell32.dll, ShellExec_RunDLL %All Users Profile%\Application Data\{random}.exe
Obscuring techniques
This recently discovered malware family makes use of a large arsenal of tricks to avoid being detected by traditional security solutions. It terminates itself if the computer name of the machine is SANDBOX or FORTINET.
It terminates itself if any of the following files are found:
- c:\sample\pos.exe
- %Systems%\drivers\vmmouse.sys
- %Systems%\drivers\vmhgfs.sys
- %Systems%\drivers\vboxmouse.sys
- c:\analysis\sandboxstarter.exe
- c:\analysis
- c:\insidetm
The following image shows the malware searching for c:\sample\pos.exe.
The malware terminates if it is being debugged. The IsDebuggerPresent API detects if the program is being debugged and if it is, the malware can change its behavior. (We commonly find this API in malware samples.) Using these techniques, the malware developers are trying to make the malware analyst’s task more difficult. Shifu also uses the sleep API, which can set the application to sleep for an infinite amount of time.
Shifu can also check for antiautomation. Generally, in a normal system the foreground window changes when the user switches between tasks. In an automation system, though, there is usually only a single task running a possibly malicious sample and monitoring its behavior. The malware makes cunning use of this difference between the two types of systems. First, it checks by calling GetForegroundWindow() and saves the handle of the window. After that it checks whether the foreground window has changed by continuously calling the same function. The rest of the code won’t be executed until the window has changed.
Injecting asynchronous procedure calls
Thread creation usually requires overhead, so malware often use asynchronous procedure call injection, which can invoke a function on a current thread. These calls can direct a thread to execute some other code prior to executing its regular execution path. The malware checks running processes on infected systems via the CreateToolhelp32Snapshot method that PoS RAM scrapers commonly use. In the following snapshot we can see the malware targeting code by looking for API calls such as Createtoolhelp32snapshot (takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes), Process32First, and Process32next to find the target process. The malware retrieves all processes lists and saves them in its own memory. One of the injected malicious code threads is responsible for periodically scraping the memory of active non–system processes on the infected machine for credit card information.
The malware uses HTTP POST requests to exfiltrate the stolen data it scrapes and sends it to a control server. The stolen information is then relayed back to the control server. Here malware injects code into one of the two running process, explorer.exe and csrss.exe.
Shifu uses the domain generation algorithm to create random domain names for covert botnet communications. Here’s a look at the traffic, which shows the generated random domain names:
The malware uses mailslot for one-way interprocess communications between processes both locally and over a network. It can also store the track information and stolen data in mailslot and send the data to its control server using a POST request.
Shifu retrieves the path of the currently running executable by GetModuleFileName call. The GetModuleFileName call is needed because the malware may not know its directory or filename. By dynamically obtaining this information the malware can install the service no matter which executable is called or where it is stored.
The malware uses SHGetValueA to get a value from an open registry key or from a named subkey.
As usual, the unpacked code is injected in the newly remapped memory.
The malware sends the victim’s version info, PC name, GUID, etc. through HTTP Post to the remote server. A code snippet:
The MD5 used in the analysis of Shifu:
1391642185CA3F066988A96BA6AA4B63
E60F72FFA76386079F2645BE2ED84E53
A Yara rule to detect Shifu:
rule Shifu : Shifu
{
strings:
$a = “CryptCreateHash”
$b = “RegCreateKeyA”
$c = {2F 00 63 00 20 00 73 00 74 00 61 00 72 00 74 00 20 00 22 00 22 00 20 00 22 00 25 00 73 00 22 00 20 00 25 00 73 00 00 00 00 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 00 72 00 75 00 6E}
$d = {53 00 6E 00 64 00 56 00 6F 00 6C 00 2E 00 65 00 78 00 65}
$e = {52 00 65 00 64 00 69 00 72 00 65 00 63 00 74 00 45 00 58 00 45}
condition:
all of them
}
This is just the tip of the iceberg. As we dig deeper into this malware and unearth more we will update you.
McAfee products detect this malware as Trojan-Shifu! [Partial hash], with DAT Version 7930 and later.