The Snifula family of malware has been making a name for itself recently in Japan, targeting multi-national and smaller regional financial institutions alike. The effectiveness of this kind of malware is putting banks at risk in other parts of the world too, including North and South America. Our research indicates that most financial institutions in the Western hemisphere have already been attacked by some variant of Snifula.
Snifula Doesn’t Just Steal Money
Snifula malware is capable of stealing certificates stored in an end user’s device, but what’s interesting is that Microsoft Windows has a public API function that allows for this to happen. The function is called “PFXExportCertStoreEx”, and it exports the certificates as well as their associated private keys from the referenced certificate store when available.1 Snifula is capable of taking screenshots, stealing cookies, history, and internet caches, and killing and corrupting Windows systems. It can also make the end user’s device work as a proxy server, allowing the fraudster to stealthily employ the end user’s IP address to perform connections to the internet.
As if all that weren’t enough, Snifula features an assortment of banking malware characteristics, like control and browsing manipulation, and it is combined with more mainstream malware features such as the ability to steal files, confidential information, and browser histories. Also, Snifula includes remote control tools, command executions, and socks5 proxy servers used to route connections. It can even disable a device’s operating system. Snifula’s ability to steal certificates and private keys broadens the fraud and data breach possibilities for cybercriminals, because once the certificates and private keys are stolen, a fraudster can sign software and post as a legitimate manufacturer and trusted source in future attacks.
Snifula is a very mature piece of malware that has been evolving and gaining power since 2006, incorporating increasingly complex and wide-ranging capabilities, putting financial institutions and enterprises at risk on a global level.
What to do?
As we’ve seen repeatedly, these kinds of attacks will continue to happen as people continue to use e-mail, Twitter and other sites where personal information is shared. Think of this malware as similar to another kind of virus most of us are familiar with: the flu. We are exposed to this virus on a daily basis, and it isn’t stopping us from going to work, school and having a normal social life, even as the risk of getting sick exists. Based on the track record of this type of malware and the kind of features it uses to steal users’ banking credentials, we can say with certainty that it will have an important role in the fraud landscape for the foreseeable future. The best recommendation for banking institutions and enterprises is to proactively stop fraud at all phases in the lifecycle of an attack, especially in the planning and launching stages, and regularly monitor black markets in order to react quickly if they are an active target.
1. Malware analysis report of a Backdoor. Snifula variant by CIRCL - Computer Incident Response Center Luxembourg and National CERT of Luxembourg