Home / malware Infostealer.Shifu
First posted on 14 October 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Shifu.
Explanation :
Once executed, the Trojan copies itself to the following location:
%UserProfile%\Application Data\[RANDOM FILE NAME].exe
The Trojan creates the following file:
%UserProfile%\Application Data\[RANDOM FILE NAME].tmp
The Trojan creates the following folder:
%UserProfile%\Application Data\[RANDOM FOLDER NAME]
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\"IntelPowerAgent[RANDOM CHARACTERS]" = "rundll32.exe shell32.dll, ShellExec_RunDLL %UserProfile%\Application Data\[RANDOM FILE NAME].exe"
Next, the Trojan connects to one or more of the following remote locations:
[https://]freewebpj.com/news/userlo[REMOVED][https://]freewebpj.com/news/userpa[REMOVED][https://]freewebpj.com/news/imageup[REMOVED][https://]freewebpj.com/news/user[REMOVED]
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Download and execute filesTake screenshotsCreate directoriesLog keystrokesCollect operating system informationCollect information about installed security programsCollect POP3 and FTP credentialsCollect Bitcoin and Litecoin wallet informationCollect confidential information entered into browsers such as login credentials for banks or other websites
The Trojan stores the stolen information at the following locations before sending it to a remote location:
%UserProfile%\Application Data\[RANDOM FOLDER NAME]%UserProfile%\Application Data\[RANDOM FILE NAME].tmp
The Trojan may also inject malicious code into other processes.Last update 14 October 2015