Furtim Malware: As Stealthy as Its Name Implies
May 20, 2016
Shah Sheikh (1294 articles)

Furtim Malware: As Stealthy as Its Name Implies

Breaking Malware recently published an analysis of a new malware called Furtim. Its name is derived from the Latin term for stealthy — and that’s exactly how it acts.

Furtim attacks Windows machines. It won’t install itself if it identifies any one of an extensive list of security products present or if it finds itself in a sandbox or virtualized environment, according to the analysis. That’s a behavior pattern that has never been seen in malware. This reticence to install itself may be why it was not detected by any of the 56 antivirus programs surveyed by VirusTotal.

More About the Malware

Furtim is deployed as a binary file named native.dll; this is a driver meant to be loaded by the kernel. Although the analyzed sample came unpacked, it did show protection mechanisms. Breaking Malware postulated that it came unpacked because driver packers are a lot less common than regular executable packers.

The security programs it searches for include the well-known ones as well as products that are comparatively rare. If any of these programs or found — or even a trace of them sniffed — Furtim stops dead.

Furtim Goes to Town

Once it feels safe, the malware reads an encrypted, hard-coded part of itself, decrypts it and then writes it to the disk. This is added to the registry’s RunOnce key.

It runs and immediately changes the registry’s policies key values. This blocks the user from accessing the command line and task manager. It then collects unique information about the machine, such as the computer name and Windows installation date. It encrypts this information and sends it to a Russian server, SecurityWeek summarized.

The next step involves three binaries downloaded by the executable, according to the analysis. The first binary keeps the machine on constantly by changing the power settings; the second steals saved passwords and credentials from the installed programs and sends them back to a server; and a third downloaded binary has yet to be fully understood.

Once installed, it will gather some passwords but not much else; it’s a lot of work for little reward.

What’s Going on Here?

The exact purpose of Furtim remains unknown, but it takes extreme precautions to avoid detection. It may be a proof of concept for an installer that is related to some other malware that has yet to be deployed.

This malware is not done evolving. Vigilance will be needed to detect and understand it and its successors.

Source | SecurityIntelligence