Industry Trends

A Tale of Shifu and its Attempt to Bypass FortiSandbox

By Floser Bacurio | November 03, 2015


Over the last few months, the Shifu banking Trojan has become more common in the wild prevalent and the malware family has been getting a fair amount of attention both from researchers and the mainstream media. there have been a number of discussions surrounding the malware family. We also became aware that this malware attempts to bypass our sandbox technology, FortiSandbox. In this post, we will share some of our findings on this new banking Trojan and also talk about how our technologies can support and address Shifu.


While the Shifu malware family is known to target Japan primarily, we have seen other regions being affected as well. For instance, the recently reported Shifu downloader 14e859f0048314a705222a13ead89660 (detected as WM/Dloader.E52E!tr) being spammed to Japanese companies also landed in other countries. Based on our telemetry results below, there is a significant presence of this sample in the US and Korea; Sri Lanka, India, and Thailand also appeared in the list:


                                                         Figure 1: Shifu’s downloader hits per region

Anti-sandbox and anti-VM

Numerous anti-sandbox and anti-VM detection mechanisms commonly used in a variety of modern malware are also found in Shifu. The following is a list of some process names blacklisted by Shifu and their respective hashes:


                                                         Table 1: Process Name and CRC32 Hash

As we can see from the table, we can tell that Shifu specifically avoids FortiSandbox by checking the FortiTracer.exe process name. This is not the first malware family that attempts to avoid our sandboxing product; we previously encountered Rowmanti and Ippedo trying to evade detection by FortiSandbox by checking the same process name. It is worth noting that this evasion technique is not going to work for bypassing FortiSandbox.

Mitigation with security products

When we tested the latest Shifu samples (SHA1:55e6af5727e02c624adf35e2eeac3285aa0a689c) against FortiSandbox, it was not surprising that the sandbox was able to identify these samples by its malicious behaviors and flag them as such. In other words, future versions of this malware should be detected by FortiSandbox regardless of future updates to the polymorphic binary file by Shifu’s author, thanks to the malware’s old-new fishy techniques.

                                                  Figure 2: Shifu’s sample flagged as malicious injector

                                                   Figure 3: Summary showing its malicious behaviors

We also tested it against our FortiClient. The sample was supported and FortiClient was able to clean the Shifu infection on the machine successfully. Existing FortiGate customers are also protected via the IPS signature Shifu.Botnet. Please also take note that the signature requires SSL deep-inspection to be enabled, so you need to enable this feature to effectively block the connection between Shifu and its command-and-control server.

                                               Figure 4: Showing that FortiClient detects the sample


Shifu is not very sophisticated at the moment as it uses some classic techniques which are covered by many security products. As presented above, our FortiSandbox and FortiClient technology are able to support and mitigate Shifu successfully, despite the malware's evasion techniques.

An in-depth analysis of Shifu is available at our VB article “SHIFU – THE RISE OF A SELF-DESTRUCTIVE BANKING TROJAN”.

-=FortiGuard Lion Team=-