Lifting the Seams of the Shifu “Patchwork” Malware

Lifting the Seams of the Shifu “Patchwork” Malware

Authored by: Clemens Kolbitsch and Arunpreet Singh

Another week comes to an end, another wave of evasive malware is attacking users. This week: Shifu. This malware family, termed an Uber Patchwork of Malware Tools in a recent DarkReading post, combines a plethora of evasive tricks to bypass traditional analysis systems, and has attacked at least 14 Japanese banks according to DarkReading.

Also this week, Virus Bulletin released an article dissecting another malware family using a wide-range of tricks specifically targeting dynamic analysis systems, and tests this malware against publicly accessible analysis systems – with disappointing results for these sandboxes.

Addressing Evasive Malware Using Full System Emulation

In a number of recent posts, we have discussed various techniques to attack traditional sandbox solutions, and how the Lastline solution is able to counteract these attacks using full-system emulation and detection of dormant code.

To name just a few examples: Dyre checks for the number of CPU cores available on the host to detect suspicious hardware configurations, Rombertik uses stalling code to delay any malicious behavior until the point where an automated analysis system gives up and falsely classifies it as benign, and a similar technique – inverted timing attacks – defeats sandboxes that try to bypass stalling code in a naive way.

Catching Shifu Using Full System Emulation

The recently discovered Shifu family makes use of a large arsenal of tricks to avoid being detected by traditional security solutions. Unfortunate for the attacker, the Lastline solution is able to not only bypass these tricks, but even use them against the attacker: the more evasive a piece of code becomes, the more suspicious it looks!

The analysis result generated by the Lastline solution clearly shows that the system is not only able to classify Shifu as malicious, but it also highlights the main malware payload (code injection into the browser) as well as eight different attempts to evade detection:

Lastline analysis report exposing plethora of evasive tricks used by Shifu malware

Analyzing the market verticals in which this malware family has been seen, it is easy to see that the Shifu malware targets financial institutions as well as security services protecting them:

Market verticals showing Shifu to be part of Banking and Security Services customers

Information on marketing verticals helps users see if an attack is specific to their business and allows them to prioritize security incidents accordingly.

Virus Bulletin Article Tests Sandboxes

Just like Shifu, one of the malware samples analyzed for the article posted by Virus Bulletin uses a number of tricks to detect – and in turn evade – analysis sandboxes. In their report, the authors show that the sample was successful in evading four different sandbox solutions.

Inspired by the highly positive outcome of the recent NSS Labs report, we were curious to see how our system would do. The outcome of the analyzed sample is very similar to Shifu: the report highlights how the Lastline solution can leverage evasive tricks to classify malware, and turn the attackers’ weapons against them:

Analysis report highlighting evasive behavior

The analysis report generated by the Lastline solution exposes the evasive code, and also highlights that the malware executed its payload: collecting user information and connecting to its command-and-control infrastructure.


Evasive malware is not news, it’s becoming the standard. Security solutions need to evolve and tackle this threat to protect users, or they will fall short like traditional security solutions already did. Only by exposing and bypassing the evasive tricks can we defeat the threat posed by state-of-the-art, advanced malware.

Clemens Kolbitsch

Clemens Kolbitsch

Clemens is a Security Researcher and engine developer at Lastline. As a lead-developer of Anubis, he has gained profound expertise in analyzing current, malicious code found in the wild. He has observed various trends in the malware community and successfully published peer-reviewed research papers. In the past, he also investigated offensive technologies presenting results at conferences such as BlackHat.
Clemens Kolbitsch