Endpoint security firm SentinelOne has found and analyzed the dropper framework of the Furtim malware discovered in May. It describes this as the mother ship, and has named it SFG: Furtim's Parent. In a blog post, SentinelOne says it was discovered targeting 'at least one European energy company', and describes it as highly sophisticated malware that could be used "to extract data or insert the malware to potentially shut down an energy grid."
SentinelOne believes that SFG contains indicators and bears the hallmark of being state-sponsored. It further believes that it may have originated in eastern Europe. Attribution is a difficult subject, and the company would go no further in conversation with SecurityWeek. Nevertheless, we pressed.
It is the volume of evasion techniques and the sophistication of the methods that is key. If it detects a sandbox or indications of manual analysis it shuts down operation and re-encrypts itself to make any further analysis more difficult. That in itself is not new; but the sophistication of the methodology is impressive.
Perhaps more telling however, is the manner in which it by-passes and hides from certain anti-malware products. "It appears," says Udi Shamir, CSO at SentinelOne, "to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted. Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group."
"The knowledge to do this," confirmed co-author Joseph Landry, "has to be learned. It won't be found on the internet and isn't shared between gangs." And it's not just a deep understanding of AV that is shown. In order to bypass anti-virus and sandboxes, the author also requires a deep knowledge of Windows itself. "Many of these low-level APIs and system calls are undocumented/under-documented and can change between different versions of Windows," reports the analysis. "To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and also [to have] reverse-engineered portions of the Windows operating system."
The malware targeted two known exploits (CVE-2014-4113 and CVE-2015-1701), as well as one UAC bypass.
If the sophistication of SFG points the finger at a state-sponsored effort, it is the style that directs it towards eastern Europe. "Chinese hackers will reuse existing code and borrow techniques from others," said Landry. "The Middle-East hackers will often include boastful comments, possibly because they're quite new to the game. Eastern Europe tends to be well-written and tight - and this is well-written and tight."
Nevertheless, although SentinelOne knows that it has been targeted at one or more European energy companies, and suspects it originates in eastern Europe, the company will go no further. The danger, of course, is that malware that takes such pains to be invisible might well successfully and invisibly be installed on other targets. And just because it is currently targeting the energy sector, that doesn't mean it is or always will be limited to that sector.