Shifu was first discovered in August 2015 by IBM Security but it appears to have been active since April 2015. Shifu targeted multiple Japanese banks and electronic banking platforms in some European countries. This trojan is highly sophisticated and includes some malware features from other trojans such as Shiz, Gozi, Zeus, and Dridex. Shifu is distributed through the Angler exploit kit which typically infects devices using email links to spread the malicious code. Shifu contains additional modules designed for secure communication with C2 servers, including a self-signed certificate, similar to the Dyre trojan. The initial package contains the following: anti-analysis tools, browser hooking and webinject parser, keylogger, screenshot grabber, certificate grabber, endpoint classification, remote-access tools, and bot-control modules. Shifu is capable of stealing data from smartcards, stealing money from cryptocurrency wallets on infected systems, and detecting and stealing payment data from point-of-sale (PoS) systems.


Technical Details

  • iSightPartners provides technical details on the Shifu trojan, available here.