SFG, the Furtim-related piece of malware that was said last week to be specifically targeting “at least one European energy company,” might have no special interest in the energy sector after all, but is instead more focused on evasion and on stealing passwords and money.
Furtim was first analyzed back in May, when researchers revealed that was designed to check for traces of 400 anti-virus programs on the compromised system and to block access to nearly 250 security related sites. At the time, it was also pointed out that Furtim worked as a dropper, being able to download and execute three binaries onto the infected computers, including the Pony info-stealer, which grabs user’s passwords and credentials and sends them to the attackers.
Last week, SentinelOne researchers published a report on SFG, claiming that it might be the tool of a state-sponsored actor, and that it could be used “to potentially shut down an energy grid.” Observed to target two known exploits (CVE-2014-4113 and CVE-2015-1701) and one UAC bypass, the malware couldn’t have been the work of a cybercriminal group, but might “have been designed by multiple developers with high-level skills and access to considerable resources,” the report said.
What made researchers believe that was the fact that the malware was packing sophisticated anti-detection mechanisms, which were first presented by Yotam Gottesman, a Senior Security Researcher at enSilo, in mid-May. Clearly, the number of anti-virus products on Furtim’s black list is impressive at over 400, and also shows an increased focus on remaining stealthy, hence the malware’s name (it comes from Latin and means “stealthy”), yet it shows nothing related to its final purpose.
After a thorough analysis of SFG’s code, SentinelOne researchers provided an abundance of details on its capabilities, which Furtim was already known to include. What the analyzed code didn’t show to researchers, however, was the malware’s focus on ICS or SCADA systems, although they did imply it.
But Furtim isn’t focused on the energy sector at all, nor on any other particular sector, security firm Damballa says.
In May, a malware analyst blogged about how a misconfigured Furtim command and control (C&C) server revealed over 15,000 infected host around the world. That post alone should have served as clear evidence that the malware isn’t ICS/SCADA or energy-company specific, Robert M. Lee, CEO and founder of critical infrastructure cyber security company Dragos Security, pointed out in a blog post last week. Instead, he said, the researchers assumed their malware was unique and mistakenly assumed and then exposed its purpose.
SentinelOne has since updated its blog post to say that it doesn’t have evidence that the attack they analyzed was “specifically targeting SCADA energy management systems,” and that their analysis was focused “on the characteristics of the malware, not the attribution or target.” However, the post still notes that the malware “likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe.”
According to Damballa, SFG is just another Furtim build and has nothing to do with state-sponsored actors, but is instead highly connected to the cyber-crime world. In fact, the security firm claims that Furtim is using a known financially-incentivized cybercriminal infrastructure also used by the operators of well-known malware families, including ransomware, banking Trojans, botnets, and info-stealers.
Specifically, Damballa researchers managed to link SFG to a fast-flux proxy-based network called Dark Cloud or Fluxxy, which has been previously associated with “the most damaging Carberp, Gozi ISFB, Pony, TeslaCrypt, Rock Loader, Qakbot/Quakbot, GameOver ZeuS/Zbot, KINS, ICE IX, Zemot/Rerdom, Necurs, Tinba, and Rovnix campaigns.”
Furtim/SFG “does not appear to be a nation-state operation, and there is no specific threat to any particular sector. It appears to be a commodity, financially-incentivized malware operation using known cybercriminal proxy-based, fast-flux DNS infrastructure,” Damballa researchers say. “The good news is that the world’s electric grids are no more at risk from Furtim/SFG than any other backdoor infection,” they continue.
However, that doesn’t mean that the malware is less dangerous. In fact, the opposite might be true. Furtim/SFG isn’t only focused on evasion, but it was also designed to compromise a broad range of credentials, which can be used “in ways with significant and far-reaching consequences.” The malware can be used for complete compromise of a system and, since it can operate under the radar, the focus should be on keeping it off every system, not just the electric grid, Damballa researchers conclude.