Trojan Horse


The banking Trojan “Shifu” was discovered by the IBM counter fraud platform in April, 2015. Built on the Shiz source code, this Trojan employs techniques adopted by multiple notorious Trojans such as Zeus, Gozi, and Dridex. This particular Trojan targeted 14 banks in Japan and re-emerged in Britain compromising 10 banks on September 22, 2015. On January 6, 2017, Palo Alto Networks issued an article indicating that the author of this Trojan re-engineered the exploit in 2016. Specifically, this Trojan at its early stage obtained system privileges of the attacked host by exploiting the vulnerability CVE-2015-0003, but now achieves its purpose by leveraging the Windows privilege escalation vulnerability CVE-2016-0167.

The sample discussed in this document is a variant of the “Shifu” Trojan with privileges escalated to the system level by using the embedded system vulnerability exploitation module. Moreover, this Trojan steals users’ login credentials of the online banking business to cause damage, commit fraud, and propagate the exploit.

Microsoft Windows employs the kernel-mode device driver win32k.sys and serves as a major operating component to the Windows subsystem. It contains the window manager which controls window displays, as well as manages screen output. The kernel-mode device driver contains a privilege escalation vulnerability because it does not properly handle objects in memory. Moreover, an attacker could exploit this vulnerability to escalate his/her privileges via execution of arbitrary malicious code.

The following operating systems are susceptible to the attack:

  • Microsoft Windows Vista SP2
  • Windows Server 2008 SP2 and R2 SP1
  • Windows 7 SP1
  • Windows1
  • Windows Server 2012 Gold and R2
  • Windows RT 8.1
  • Windows 10 Gold and 1511

The following figure specifies the timeline of the attacks launched via this specific Trojan, in addition to NSFOCUS security team investigation.

Propagation and Infection

  • File binding
  • Email attachment

File Structure

Specific Capabilities

a.) Covert attack – Attacks are completed through multiple encryptions and process injections.

 b.) Network behavior – Collects information (including but not limited to the local time zone, current time, operating system version, antivirus software version, and host name) about local hosts, uploads it to the remote server (C&C), and keeps communicating with the remote server to monitor the user and steal their information.

 c.) Sandbox detection – Supports anti-debugging and anti-virtual machine (VM) functions. Moreover, it is likely to be executed within a sandbox by comparing file names, process names, user names, and system signatures.

 d.) Confrontation with antivirus tools – The ability to detect various analysis tools, antivirus software, and sandboxes. When antivirus software is found, this malware enters a sleep infinite loop, exhibiting no malicious behaviors. When a sandbox is detected, the malware sample terminates the script interpreter, traffic capture tool, binary analysis tool, and other processes; cutting off the interaction between the sandbox and the outside, or preventing the sandbox’s automated analysis of this sample.

 e) Persistent attack: This sample, via concealing and self-starting, implements persistent attacks against target hosts, by taking the following actions: injecting exe for concealing processes and creating JavaScript scripts in the Startup folder and on the Start menu for completing self-starting.

The following figure shows the sample execution process:

Functions of this sample are as follows:

1. Decrypting the injector to overwrite the original code.

2. Determines whether DebugPort and ExceptionPort are occupied to validate whether the sample is in the remote debugging state.

3. A comparison is made between the CRC32 checksum of the file name and the following values in the sample (new names are assigned by common sandboxes in this sample):

4. If the preceding processes are running, they are terminated (ending the internal control of the sandbox). If the sample runs in the Windows XP (32-bit) environment, it enters a sleep loop.


The ‘Shifu’ malware supports a locally embedded system exploitation module that escalate­s ­user privileges and steals user login credentials of publicly accessible online banking business for nefarious purposes. Additionally, obfuscation occurs when various anti-debugging and analysis detection capabilities try to recognize the exploit. Common antivirus software and sandbox detection efforts are also powerless in defending, or identifying this particular malware strain.

Download Document


NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms

Leave a Reply

Your email address will not be published. Required fields are marked *