In May of this year, security researcher Yotam Gottesam with enSilo, began unraveling a mystery that continues to unravel. First reported by FireF0X, a self-proclaimed “ex-malware analyst” located in the Russian Federation, the Furtim malware dropper, or “Stealth” in Latin, created a stir the security community over the lengths at which the creators of the malware went to avoid being detected. It’s not clear where FireF0X received the sample of malware and despite Yotam’s thorough investigation outlined in his original blog post, many questions about Furtim have gone unanswered until now.
Joseph Landry and Udi Shamir, researchers with SentinelOne, have begun putting more pieces of the puzzle together. In a blog by the two that recently appeared on the SentinelOne website, Landry and Shamir outline a number of advanced capabilities built into the malware that makes the Furtim dropper a potent weapon against the energy sector. The two believe the malware is likely a dropper tool and is being used very selectively against those in the energy sector. The exploit itself appears to be effective against all variants of Microsoft Windows and bypasses antivirus solutions, next-generation firewalls, and endpoint solutions leveraging sandboxing techniques.
Furtim ’s additional capabilities may give more insight on whose behind the malware and what their intentions are. In addition to exploiting the network, Furtim looks to see if it access control systems are present on the workstation, but not just any access control system, the ZKTeco’s ZKAccess software. If that specific piece of software is present, Furtim will cease to execute. The painstaking specifics of who and what to infect don’t end there!
Using cmd.exe, Furtim cleverly disguises itself as normal process on the system. Once started, the malware does an extensive reconnaissance of the machine, enumerating a wide variety of system parameters with an ability to terminate execution immediately if certain conditions exist.
By exploiting CVE-2014-4113 and CVE-2015-1701, the payload bypasses Windows UAC to gain administrative privileges on its target. Now the malware’s heavy lifting begins.
“This sample was written in a manner to evade static and behavioral detection. Many anti-sandboxing techniques are utilized. Analysts relying solely on sandbox solutions may miss the full functionality of the sample.” reported the analysis published by SentinelOne. “Two known exploits (CVE-2014-4113 and CVE-2015-1701) were found in the sample, as well as one UAC bypass.”
SentinelOne has outlined the exhaustive number of checks to obfuscate its presence on a host machine. You can read the full details here. The first check is for sandboxing and virtual machines to thwart the prying eyes of malware analysts. If those are found, the malware terminates and its .data section is encrypted. Antivirus is both enabled and disabled at appropriate times to further reduce the possibility of detection.
The malware has other interesting characteristics worth noting. For example, DLL hooking. DLL hooking is a common practice used by antivirus products to detect malicious behavior. Furtim will search for injected DLLs on the victims’ workstation. If an antivirus leveraging hooking is discovered, the result is stored for future use reference to suppress future functionality that may be introduced into the malware. The DLL vendor list is short and somewhat varied. BitDefender, BullGuard, COMODO, Agnitum, Qurb, and Emisoft make up that list. A second DLL hooking routine is also ran by the malware discovering software used in manual malware analysis. Additional checks also include hard disks for vendor specific virtualized hard disks such as VMware and BIOS checks for further virtualization identification.
With all the specific exceptions that the Furtim dropper tool includes, it leads one to wonder if specific targeting can be derived from its attributes. SentinelOne has been reluctant to point fingers as to who is behind the malware. When pressed on the topic by SecurityWeek, SentinelOne would only describe Furtim ’s sophistication or methodology as “impressive.”
It is likely that the resources required to research, write, and perfect the Furtim dropper point to a nation state level threat actor group but with recent rumblings from the security community about attribution it may be wise to stick with the knowns and let the analysts decide.
According to SentinelOne Furtim was discovered targeting at least one European energy company. This should come as no surprise considering attacks on the energy sector are becoming more and more prevalent across the industry. Interestingly, in the previous analysis performed by Yotam Gottesman revealed encrypted information about its target being sent to a Russian-domain whose domain resolves to a number of Ukrainian IP addresses. But as Yotam points out, you can never be certain that this is a true connection to any particular region or a ruse to throw off malware analysts.
Written by: Rick Gamache
Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program. Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.
Twitter – https://twitter.com/thecissp
(Security Affairs – Furtim, nation-state malware)