A security researcher that goes online only by the nickname of FireFOX (@hFireF0X) has discovered a unique malware family that pays a lot of attention to remaining undetected, and not to having great features or efficient data exfiltration procedures.
Security firm enSilo took a closer look at his discovery and named the malware Furtim, the Latin word for “stealthy” and tracked down some of its command & control servers to a Russian domain, which resolves back to a Ukrainian IP.
At the time of his analysis, despite managing to break down a large part of Furtim’s mode of operation, enSilo didn’t manage to discover how crooks are spreading the malware, how it gains an initial foothold on the infected devices, or what kind of targets it is seeking.
Furtim, a.k.a. “the paranoid malware”
enSilo also noted something different about Furtim that he didn’t see in other types of malware. Furtim paid a lot of attention, actually more than it should, to avoiding getting detected by security products.
During its installation, the malware would check for the presence of virtualized or sandboxed environments, tools which security researchers use for malware debugging.
Additionally, Furtim also includes filters for over 400 security products. If it finds at least one of these installed on the PC, Furtim aborts the installation.
After it has set up itself, the malware blocks DNS filtering services by replacing DNS servers with public IPs provided by Google and Level3 Communications, and also blocks users from accessing nearly 250 websites from the infosec domain.
Furtim is really, really, really paranoid
But the self-defense mechanism doesn’t stop here, though, because Furtim also disables the Windows notification and pop-up mechanisms, and his access to the command line and the Task Manager.
After Furtim feels comfortable within its infected environment, it collects data from the infected device and sends it to the server.
The server uses this data to identify between its targets and also deliver the final payloads since Furtim is only a malware downloader, a stepping stone for more dangerous threats.
enSilo noticed that the server sent the malware payloads only once to each target, a tactic also employed to make reverse engineering by security researchers much harder.
Furtim delivers the Pony infostealer and another unknown payload
The final payload is actually made up of three files. The first is a power configuration file for the infected computer that removes sleep mode and hibernation settings.
The second is the Pony infostealer, malware specialized in stealing all kinds of sensitive data, from FTP and email client credentials to browser history and stored passwords.
The third and final payload is currently unknown, enSilo saying he wasn’t able to crack it.
“We do know that a third binary is downloaded. It is identified as generic by certain AVs, possibly due to the fact that it is packed. We have yet to analyze it to completely understand what it does,” BreakingMalware also wrote today. “We do know though, that it communicates back a list of certain discovered processes to another Russian server.”
With all these data exfiltration features and focus on stealth, Furtim sure looks like the spawn of a cyber-espionage group, even if FireFOX, BreakingMalware or enSilo didn’t say so.
UPDATE: Article updated to provide attribution for Furtim’s analysis to enSilo.