Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

SFG Malware Isn’t Going After Your Grid, but After Your Money

SFG, the Furtim-related piece of malware that was said last week to be specifically targeting “at least one European energy company,” might have no special interest in the energy sector after all, but is instead more focused on evasion and on stealing passwords and money.

SFG, the Furtim-related piece of malware that was said last week to be specifically targeting “at least one European energy company,” might have no special interest in the energy sector after all, but is instead more focused on evasion and on stealing passwords and money.

Furtim was first analyzed back in May, when researchers revealed that was designed to check for traces of 400 anti-virus programs on the compromised system and to block access to nearly 250 security related sites. At the time, it was also pointed out that Furtim worked as a dropper, being able to download and execute three binaries onto the infected computers, including the Pony info-stealer, which grabs user’s passwords and credentials and sends them to the attackers.

Last week, SentinelOne researchers published a report on SFG, claiming that it might be the tool of a state-sponsored actor, and that it could be used “to potentially shut down an energy grid.” Observed to target two known exploits (CVE-2014-4113 and CVE-2015-1701) and one UAC bypass, the malware couldn’t have been the work of a cybercriminal group, but might “have been designed by multiple developers with high-level skills and access to considerable resources,” the report said.

What made researchers believe that was the fact that the malware was packing sophisticated anti-detection mechanisms, which were first presented by Yotam Gottesman, a Senior Security Researcher at enSilo, in mid-May. Clearly, the number of anti-virus products on Furtim’s black list is impressive at over 400, and also shows an increased focus on remaining stealthy, hence the malware’s name (it comes from Latin and means “stealthy”), yet it shows nothing related to its final purpose.

After a thorough analysis of SFG’s code, SentinelOne researchers provided an abundance of details on its capabilities, which Furtim was already known to include. What the analyzed code didn’t show to researchers, however, was the malware’s focus on ICS or SCADA systems, although they did imply it.

But Furtim isn’t focused on the energy sector at all, nor on any other particular sector, security firm Damballa says.

In May, a malware analyst blogged about how a misconfigured Furtim command and control (C&C) server revealed over 15,000 infected host around the world. That post alone should have served as clear evidence that the malware isn’t ICS/SCADA or energy-company specific, Robert M. Lee, CEO and founder of critical infrastructure cyber security company Dragos Security, pointed out in a blog post last week. Instead, he said, the researchers assumed their malware was unique and mistakenly assumed and then exposed its purpose.

SentinelOne has since updated its blog post to say that it doesn’t have evidence that the attack they analyzed was “specifically targeting SCADA energy management systems,” and that their analysis was focused “on the characteristics of the malware, not the attribution or target.” However, the post still notes that the malware “likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe.”

Advertisement. Scroll to continue reading.

According to Damballa, SFG is just another Furtim build and has nothing to do with state-sponsored actors, but is instead highly connected to the cyber-crime world. In fact, the security firm claims that Furtim is using a known financially-incentivized cybercriminal infrastructure also used by the operators of well-known malware families, including ransomware, banking Trojans, botnets, and info-stealers.

Specifically, Damballa researchers managed to link SFG to a fast-flux proxy-based network called Dark Cloud or Fluxxy, which has been previously associated with “the most damaging Carberp, Gozi ISFB, Pony, TeslaCrypt, Rock Loader, Qakbot/Quakbot, GameOver ZeuS/Zbot, KINS, ICE IX, Zemot/Rerdom, Necurs, Tinba, and Rovnix campaigns.”

Furtim/SFG “does not appear to be a nation-state operation, and there is no specific threat to any particular sector. It appears to be a commodity, financially-incentivized malware operation using known cybercriminal proxy-based, fast-flux DNS infrastructure,” Damballa researchers say. “The good news is that the world’s electric grids are no more at risk from Furtim/SFG than any other backdoor infection,” they continue.

However, that doesn’t mean that the malware is less dangerous. In fact, the opposite might be true. Furtim/SFG isn’t only focused on evasion, but it was also designed to compromise a broad range of credentials, which can be used “in ways with significant and far-reaching consequences.” The malware can be used for complete compromise of a system and, since it can operate under the radar, the focus should be on keeping it off every system, not just the electric grid, Damballa researchers conclude.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...