{"id":45371,"date":"2015-09-24T12:33:07","date_gmt":"2015-09-24T19:33:07","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=45371"},"modified":"2025-06-02T01:37:11","modified_gmt":"2025-06-02T08:37:11","slug":"japanese-banking-trojan-shifu-combines-malware-tools","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/","title":{"rendered":"Japanese Banking Trojan Shifu Combines Malware Tools"},"content":{"rendered":"<p>In recent weeks, McAfee Labs has analyzed a recently discovered banking Trojan that combines elements from multiple malware tools. Shifu has circulated since April, and\u00a0attacks primarily Japanese banks.<\/p>\n<h2><strong>Installation<\/strong><\/h2>\n<p>This malware arrives as a file dropped by other malware or as a file downloaded unknowingly by users when visiting compromised sites. Upon installation the malware drops the following files:<\/p>\n<ul>\n<li>%All Users Profile%\\Application Data\\{random}.tmp.bat<\/li>\n<li>%Application Data%\\{random characters}.\u00a0Contains logs of running applications and accessed applications<\/li>\n<\/ul>\n<p>It drops and executes the following files:<\/p>\n<ul>\n<li>%All Users Profile%\\Application Data\\{random}.exe<\/li>\n<\/ul>\n<p>The malware creates a run registry entry to execute itself every time Windows starts: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunMcAfeePowerAgent9 = rundll32.exe shell32.dll, ShellExec_RunDLL %All Users Profile%\\Application Data\\{random}.exe<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-45372\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png\" alt=\"1\" width=\"1200\" height=\"154\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/19.png 1200w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/19-300x39.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/19-1024x131.png 1024w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/><\/a><\/p>\n<h2><strong>Obscuring techniques<\/strong><\/h2>\n<p>This recently discovered malware family makes use of a large arsenal of tricks\u00a0to avoid being detected by traditional security solutions. It terminates itself if the computer name of the machine is SANDBOX or FORTINET.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/25.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-45373\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/25.png\" alt=\"2\" width=\"1352\" height=\"399\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/25.png 1352w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/25-300x89.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/25-1024x302.png 1024w\" sizes=\"auto, (max-width: 1352px) 100vw, 1352px\" \/><\/a><\/p>\n<p>It terminates itself if any of the following files are found:<\/p>\n<ul>\n<li>c:\\sample\\pos.exe<\/li>\n<li>%Systems%\\drivers\\vmmouse.sys<\/li>\n<li>%Systems%\\drivers\\vmhgfs.sys<\/li>\n<li>%Systems%\\drivers\\vboxmouse.sys<\/li>\n<li>c:\\analysis\\sandboxstarter.exe<\/li>\n<li>c:\\analysis<\/li>\n<li>c:\\insidetm<\/li>\n<\/ul>\n<p>The following image shows the\u00a0malware searching for c:\\sample\\pos.exe.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/38.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45374 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/38.png\" alt=\"3\" width=\"1016\" height=\"146\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/38.png 1016w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/38-300x43.png 300w\" sizes=\"auto, (max-width: 1016px) 100vw, 1016px\" \/><\/a><\/p>\n<p>The malware\u00a0terminates if it is being debugged. The IsDebuggerPresent\u00a0API detects if the program is being debugged and if it is, the malware\u00a0can change its behavior. (We commonly find this API in malware samples.) Using these techniques, the malware developers are trying to make the malware analyst\u2019s task more difficult. Shifu also uses the\u00a0sleep API, which can set the application to sleep for an infinite amount of time.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/161.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45375 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/161.png\" alt=\"16\" width=\"759\" height=\"224\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/161.png 759w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/161-300x89.png 300w\" sizes=\"auto, (max-width: 759px) 100vw, 759px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/58.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45376 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/58.png\" alt=\"5\" width=\"916\" height=\"157\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/58.png 916w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/58-300x51.png 300w\" sizes=\"auto, (max-width: 916px) 100vw, 916px\" \/><\/a><\/p>\n<p>Shifu can also check for antiautomation. Generally, in a normal system the foreground window changes when the user switches between tasks. In an automation system, though, there is usually only a single task running a possibly malicious sample and monitoring its behavior. The malware makes cunning use of this difference between the two types of systems. First, it checks by calling GetForegroundWindow() and saves the handle of the window. After that it checks whether the foreground window has changed by continuously calling the same function. The rest of the code won\u2019t be executed until the window has changed.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/65.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45377 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/65.png\" alt=\"6\" width=\"777\" height=\"67\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/65.png 777w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/65-300x26.png 300w\" sizes=\"auto, (max-width: 777px) 100vw, 777px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Injecting asynchronous procedure calls<\/strong><\/h2>\n<p>Thread creation usually requires overhead, so malware often use asynchronous procedure call injection, which can invoke a function on a current thread. These calls can direct a thread to execute some other code prior to executing its regular execution path. The malware checks running processes on infected systems via the CreateToolhelp32Snapshot method that PoS RAM scrapers commonly use. In the following snapshot we can see the\u00a0malware targeting code by looking for API calls such as Createtoolhelp32snapshot (takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes), Process32First, and Process32next to find the target process. The malware retrieves all processes lists and saves them in its own memory. One of the injected malicious code threads is responsible for\u00a0periodically scraping the memory of active non\u2013system processes on the infected machine for credit card information.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/76.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45378 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/76.png\" alt=\"7\" width=\"861\" height=\"477\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/76.png 861w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/76-300x166.png 300w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/a><\/p>\n<p>The malware uses HTTP POST requests to exfiltrate the stolen data it scrapes and sends it to a control server. The stolen information is then relayed back to the control server. Here malware injects code into one of the two running process, explorer.exe and csrss.exe.<\/p>\n<p>Shifu uses the domain generation algorithm to create\u00a0random domain names for covert botnet communications. Here\u2019s a look at the traffic, which shows the generated random domain names:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/88.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45380 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/88.png\" alt=\"8\" width=\"988\" height=\"623\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/88.png 988w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/88-300x189.png 300w\" sizes=\"auto, (max-width: 988px) 100vw, 988px\" \/><\/a><\/p>\n<p>The malware uses mailslot for one-way interprocess communications between processes both locally and over a\u00a0network.\u00a0It can also store the track information and stolen data in mailslot and send the data to its control server using a POST request.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/116.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45382 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/116.png\" alt=\"11\" width=\"754\" height=\"201\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/116.png 754w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/116-300x80.png 300w\" sizes=\"auto, (max-width: 754px) 100vw, 754px\" \/><\/a><\/p>\n<p>Shifu retrieves the path of the currently running executable by GetModuleFileName call. The GetModuleFileName call is needed because the malware may not know its directory or filename. By dynamically obtaining this information the malware\u00a0can install the service no matter which executable is called or where it is stored.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/125.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45383 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/125.png\" alt=\"12\" width=\"969\" height=\"141\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/125.png 969w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/125-300x44.png 300w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/a><\/p>\n<p>The malware uses SHGetValueA to get a value from an open registry key or from a named subkey.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/132.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45384 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/132.png\" alt=\"13\" width=\"1245\" height=\"231\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/132.png 1245w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/132-300x56.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/132-1024x190.png 1024w\" sizes=\"auto, (max-width: 1245px) 100vw, 1245px\" \/><\/a><\/p>\n<p>As usual, the unpacked code is injected in the newly remapped memory.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/143.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-45385 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/143.png\" alt=\"14\" width=\"660\" height=\"374\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/143.png 660w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/143-300x170.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/a><\/p>\n<p>The malware sends the victim\u2019s version info, PC\u00a0name, GUID, etc. through\u00a0HTTP Post\u00a0to the remote server. A code snippet:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/152.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-45386\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/152.png\" alt=\"15\" width=\"1103\" height=\"232\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/152.png 1103w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/152-300x63.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/152-1024x215.png 1024w\" sizes=\"auto, (max-width: 1103px) 100vw, 1103px\" \/><\/a><\/p>\n<p>The MD5 used in the analysis of Shifu:<br \/>\n1391642185CA3F066988A96BA6AA4B63<br \/>\nE60F72FFA76386079F2645BE2ED84E53<\/p>\n<p>A Yara rule to detect Shifu:<br \/>\nrule Shifu : Shifu<br \/>\n{<br \/>\nstrings:<\/p>\n<p>$a = &#8220;CryptCreateHash&#8221;<br \/>\n$b = &#8220;RegCreateKeyA&#8221;<br \/>\n$c = {2F 00 63 00 20 00 73 00 74 00 61 00 72 00 74 00 20 00 22 00 22 00 20 00 22 00 25 00 73 00 22 00 20 00 25 00 73 00 00 00 00 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 00 72 00 75 00 6E}<br \/>\n$d = {53 00 6E 00 64 00 56 00 6F 00 6C 00 2E 00 65 00 78 00 65}<br \/>\n$e = {52 00 65 00 64 00 69 00 72 00 65 00 63 00 74 00 45 00 58 00 45}<\/p>\n<p>condition:<br \/>\nall of them<br \/>\n}<\/p>\n<p>This is just the tip of the iceberg. As we dig deeper into this malware and unearth more we will update you.<\/p>\n<p>McAfee products detect this malware as Trojan-Shifu! <em>[Partial hash],<\/em> with DAT Version 7930 and later.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In recent weeks, McAfee Labs has analyzed a recently discovered banking Trojan that combines elements from multiple malware tools. Shifu&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[49,3952,180],"coauthors":[3973],"class_list":["post-45371","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-botnet","tag-internet-security","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Japanese Banking Trojan Shifu Combines Malware Tools | McAfee Blog<\/title>\n<meta name=\"description\" content=\"A new banking Trojan combines elements of multiple malware tools. Shifu has circulated since April, and attacks primarily Japanese banks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Japanese Banking Trojan Shifu Combines Malware Tools | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"A new banking Trojan combines elements of multiple malware tools. Shifu has circulated since April, and attacks primarily Japanese banks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2015-09-24T19:33:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-02T08:37:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/19.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"154\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Japanese Banking Trojan Shifu Combines Malware Tools\",\"datePublished\":\"2015-09-24T19:33:07+00:00\",\"dateModified\":\"2025-06-02T08:37:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/\"},\"wordCount\":845,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png\",\"keywords\":[\"botnet\",\"internet security\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/\",\"name\":\"Japanese Banking Trojan Shifu Combines Malware Tools | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png\",\"datePublished\":\"2015-09-24T19:33:07+00:00\",\"dateModified\":\"2025-06-02T08:37:11+00:00\",\"description\":\"A new banking Trojan combines elements of multiple malware tools. Shifu has circulated since April, and attacks primarily Japanese banks.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Japanese Banking Trojan Shifu Combines Malware Tools\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Japanese Banking Trojan Shifu Combines Malware Tools | McAfee Blog","description":"A new banking Trojan combines elements of multiple malware tools. Shifu has circulated since April, and attacks primarily Japanese banks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Japanese Banking Trojan Shifu Combines Malware Tools | McAfee Blog","og_description":"A new banking Trojan combines elements of multiple malware tools. Shifu has circulated since April, and attacks primarily Japanese banks.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2015-09-24T19:33:07+00:00","article_modified_time":"2025-06-02T08:37:11+00:00","og_image":[{"width":1200,"height":154,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/19.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Japanese Banking Trojan Shifu Combines Malware Tools","datePublished":"2015-09-24T19:33:07+00:00","dateModified":"2025-06-02T08:37:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/"},"wordCount":845,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png","keywords":["botnet","internet security","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/","name":"Japanese Banking Trojan Shifu Combines Malware Tools | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png","datePublished":"2015-09-24T19:33:07+00:00","dateModified":"2025-06-02T08:37:11+00:00","description":"A new banking Trojan combines elements of multiple malware tools. Shifu has circulated since April, and attacks primarily Japanese banks.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/19.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/japanese-banking-trojan-shifu-combines-malware-tools\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Japanese Banking Trojan Shifu Combines Malware Tools"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/45371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=45371"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/45371\/revisions"}],"predecessor-version":[{"id":214830,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/45371\/revisions\/214830"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=45371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=45371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=45371"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=45371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}