Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Snifula Banking Trojan Back to Target Japanese Regional Financial Institutions

New Snifula variant focuses on smaller Japanese regional banks
Created: 28 Jul 2014 15:21:02 GMT • Updated: 06 Aug 2014 23:11:50 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

Symantec Security Response has found that a new variant of Trojan.Snifula (Neverquest) is targeting more than 30 Japanese financial institutions, including 12 regional banks. The threat first appeared in 2006 and is used to steal victims’ financial information from specific banking sites through man-in-the-browser (MITB) techniques. Snifula’s new targets show that the malware is broadening its focus to smaller financial institutions, meaning that consumers should be wary of the threat regardless of which bank they use. 

We previously predicted that Snifula would be updated to target additional financial institutions and now it has happened. While monitoring Snifula’s activities, we came across a configuration file for a Snifula variant that lists 20 credit card sites and 17 online banking sites in Japan. 

One interesting aspect of the configuration file is that it includes 12 Japanese regional banks which are spread across 12 prefectures. Only one of these regional banks made the top ten list in terms of total deposit balances from customers. In fact, more than half of the targeted banks are in the bottom half of the overall list of total deposit balances from customers. This clearly shows that the targeted banks are picked regardless of the institution’s size. We expect that other regional banks will likely be targeted by Snifula, so consumers should not let their guard down when using any online banking site.

As of July 2014, our telemetry shows that Japan is still ranked third and makes up almost 20 percent in terms of Trojan.Snifula activities. Considering our research, it seems that attackers are not about to quit targeting Japanese online banking customers.

figure1_update.png
Figure 1. Snifula activity in July 2014 by region

figure2_8.png
Figure 2. Snifula activity heat map in July 2014

Symantec Security Response is closely monitoring Snifula and provides appropriate protection against this threat. We will continue to update our coverage as we see new Snifula variants. Users should keep AV and IPS definitions up to date and avoid opening suspicious email attachments or links to prevent infection.

The following detections are Symantec’s current protections against Snifula.

AV

IPS