Dragon News

Dragon News

An inside look at the world of Team Cymru. Cybersecurity tools, tips, news and views.




Dragon News

Malware Families Shifu and Corebot now in BARS Feed


Early yesterday morning, malware families Corebot and Shifu went into Team Cymru’s Botnet Analysis & Reporting Service (BARS).

Both of these families are “crimeware”. Both are used to steal passwords, inject HTML into web sites to assist in identity theft, allow VNC access to hijack browser sessions and transfer money to accounts held by the criminals.


Corebot is named after debug file string Core.pdb. It’s currently known features include:

• Steal saved passwords for Email, FTP, Web sites, etc.
• Steal information typed into Web forms
• Download and install an updated version, and/or additional malware
• Notify the bot master of active online banking sessions
• Allow takeover of Web sessions via a hidden VNC service

Corebot has been observed targeting online customer accounts of financial institutions. It achieves this end by performing web injections inside the victim’s browser. These injects are stored in a configuration file which is pushed by it’s controller, thereby creating a dynamic targeting system that can be updated at will. Additionally, it may install a virtual network computing (VNC) module, which can provide remote control for the attacker to hijack online sessions.


Shifu, Japanese for ‘thief’, was first reported targeting Japan and evolved from “Shiz” Trojan. It is likely not Japanese in origin, as it has every sign of being part of the Eastern European cybercrime scene. It borrows from Dridex, Gozi and ZeusVM.

These are both fairly new to the malware scene. Our team believes that we will see more activity on them before long.


BARS provides in-depth analysis, tracking, and history of malware families that utilize unique control protocols and possibly encryption mechanisms. We provide the following elements as part of our BARS package:

Infrastructure – to provide automated tracking and reporting of known botnets
Analysts – focused on investigating new malware families and/or variants
Developers – writing specialized code to track and report on these new threats

Our data set contains information related to bots including IP, PGP and GeoIP information.

Contact our sales team for more information and to set up your free trial.