Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Furtim’s Parent: State-Sponsored Malware Targets Energy Sector

Endpoint security firm SentinelOne has found and analyzed the dropper framework of the Furtim malware discovered in May. It describes this as the mother ship, and has named it SFG: Furtim’s Parent.

Endpoint security firm SentinelOne has found and analyzed the dropper framework of the Furtim malware discovered in May. It describes this as the mother ship, and has named it SFG: Furtim’s Parent. In a blog post, SentinelOne says it was discovered targeting ‘at least one European energy company’, and describes it as highly sophisticated malware that could be used “to extract data or insert the malware to potentially shut down an energy grid.” 

SentinelOne believes that SFG contains indicators and bears the hallmark of being state-sponsored. It further believes that it may have originated in eastern Europe. Attribution is a difficult subject, and the company would go no further in conversation with SecurityWeek. Nevertheless, we pressed.

It is the volume of evasion techniques and the sophistication of the methods that is key. If it detects a sandbox or indications of manual analysis it shuts down operation and re-encrypts itself to make any further analysis more difficult. That in itself is not new; but the sophistication of the methodology is impressive.

Perhaps more telling however, is the manner in which it by-passes and hides from certain anti-malware products. “It appears,” says Udi Shamir, CSO at SentinelOne, “to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted. Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group.”

“The knowledge to do this,” confirmed co-author Joseph Landry, “has to be learned. It won’t be found on the internet and isn’t shared between gangs.” And it’s not just a deep understanding of AV that is shown. In order to bypass anti-virus and sandboxes, the author also requires a deep knowledge of Windows itself. “Many of these low-level APIs and system calls are undocumented/under-documented and can change between different versions of Windows,” reports the analysis. “To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and also [to have] reverse-engineered portions of the Windows operating system.” 

The malware targeted two known exploits (CVE-2014-4113 and CVE-2015-1701), as well as one UAC bypass.

If the sophistication of SFG points the finger at a state-sponsored effort, it is the style that directs it towards eastern Europe. “Chinese hackers will reuse existing code and borrow techniques from others,” said Landry. “The Middle-East hackers will often include boastful comments, possibly because they’re quite new to the game. Eastern Europe tends to be well-written and tight – and this is well-written and tight.”

Nevertheless, although SentinelOne knows that it has been targeted at one or more European energy companies, and suspects it originates in eastern Europe, the company will go no further. The danger, of course, is that malware that takes such pains to be invisible might well successfully and invisibly be installed on other targets. And just because it is currently targeting the energy sector, that doesn’t mean it is or always will be limited to that sector.

Advertisement. Scroll to continue reading.
Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...