Avoiding detection is generally a top priority for any malicious code developer, but the creators of the newly discovered “Furtim” truly appear to have gone the extra mile to ensure that their malware flies under the radar.
Data protection firm enSilo recently analyzed the malware, discovered by a researcher with the twitter handle @hFireFOX, and dubbed it Furtim — Latin for "by stealth." The name fits: at the time of its finding, the malware scored a zero-percent detection rate from Google's anti-virus aggregation service VirusTotal.
“In general, all malware takes steps to conceal themselves from security researchers,” said Yotam Gottesman, senior security researcher at enSilo, in an email interview with SCMagazine.com. “However, none of the malware that we've ever witnessed was so thorough as Furtim is in their attempt to avoid detection by security products.”
The list of tools and techniques that Furtim uses to conceal and protect itself before, during and after installation is an exhausting one.
For starters, the Furtim malware doesn't arrive in a packed or compressed state that might trigger red flags with some AV programs. Instead, Furtim installs a downloader that opens up a backdoor on the victim's computer, through which malicious payloads can be delivered later at a strategic time.
That's not all. In its pre-installation phase, Furtim searches its intended host for security products and virtualized or sandboxed environments, and will cancel installation if any are discovered. “Furtim not only tests against a monstrous list of 400 security-related applications, but the authors also took great care to cover a range of security applications, as we also found esoteric products,” said Gottesman.
If the malware detects the presence of a DNS filtering service, it replaces any known filtering name servers to public name servers with no filtering mechanisms. And to further frustrate victims, Furtim blocks access to almost 250 cybersecurity, anti-virus update and technical help web sites by replacing Windows' hosts file.
Because an infected device must be rebooted before Furtim can fully embed itself, the malware also overrides any user- or admin-authorized reboot policies, to ensure that all downloaded malicious payloads run upon rebooting.
Additionally, Furtim disables Windows notifications and pop-ups, and changes certain configurations on its host machine to block access to the command line and task manager tools, which could otherwise help users detect or kill the malicious processes.
Finally, Furtime collects unique identifiers from infected machines and sends it to the command and control (C&C) server to ensure that it only sends the malicious payloads one time to any given victim. This is a defensive measure against security researchers who might be trying to collect and study multiple samples.
So far, the malware's agenda is mostly hidden as well. It has three payloads: The first is a power-saving configuration tool that disables sleep mode and hibernation so the victimized system remains continuously connected to the C&C server, unless it's shut down manually. The second is an aggressive, commercial credential stealer known as Pony Stealer. “If there's a credential, it would steal it. It may be credentials for banking services, mail applications, file sharing services, etc. But more so, Pony Stealer is also used to steal credentials to FTP [and] internal file servers, etc. in order to enable lateral movement,” said Gottesman.
The third payload, however, is more mysterious—it communicates the presence of virtualization environments and anti-virus products to the C&C server, but that is likely not its main purpose, because the malware is already designed not to install in the first place under such circumstances. In its blog post, enSilo suggested that this final payload may actually include Furtim's “main malicious functionality and persistence capabilities.”
“We do know that the code there is complex and requires more resources to uncover it,” added Gottesman in his interview.
Citing a timestamp of Oct. 22, 2015, enSilo believes that Furtim has been in existence for around seven months. “We don't know where there are infections, but we do know that the [C&C] server is live and kicking, meaning that the malware is in the wild,” said Gottesman. The C&C server is hosted at a Russian domain that resolves to several Ukrainian IP addresses. With that in mind, and considering that the malware's communications are configured to accept the Russian language, enSilo wrote in its analysis that it would be “easy to point a finger at Russia. However, we cannot jump to those conclusions as threat actors typically hide their identity by masquerading as coming from a certain location.”
And if there's one thing this malware is clearly built to do, it's hide.