Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Windows Malware Tries to Avoid 400 Security Products

Malware authors are constantly trying to build their malicious files to remain undetected by security products and pack their malicious programs with anti-virus detection capabilities, but the newly observed “Furtim” malware is one of a kind in this regard.

Malware authors are constantly trying to build their malicious files to remain undetected by security products and pack their malicious programs with anti-virus detection capabilities, but the newly observed “Furtim” malware is one of a kind in this regard.

The malware’s name comes from Latin and means “stealthy,” Yotam Gottesman, a Senior Security Researcher at enSilo explains, adding that the program goes through great lengths to avoid being caught by security parties: it includes checks for 400 security products. Should any of the products on this extensive list be found on the targeted machine, the malware terminates itself and leaves the computer unharmed.

Built to target Windows computers, the malware was first discovered by a researcher that goes by the name of @hFireF0X, who noticed that none of the 56 anti-virus programs tested by VirusTotal service detected the new threat. It’s unclear who is behind the malware as of now, but it is clear that the actor would abort infection rather than being caught.

Furtim is deployed as a binary file named “native.dll,” which is a driver supposedly meant to be loaded by the kernel, researchers explain. The analyzed sample was 295 KB in size, was compiled on October 22, 2015, and came unpacked, although it did show protection mechanisms.

Gottesman explains that strings in the sample are obfuscated, the binary contains other encrypted parts, and calls are made dynamically through a large structure that contains function pointers, albeit anti-debugging protection is not present. The analysis revealed the structure for function calls and a loop that decrypts strings that, when run, reveal plaintext strings and a struct full of function pointers.

The most interesting part of the malware was its ability to search the infected machine for registry entries or service executable names of 400 security programs, including well-known and very rare products. As soon as traces of such a program are discovered on the compromised system, the malware terminates itself.

The malicious program also checks for virtualization environments, being aware of all major virtualization and sandboxing products and avoiding them. Additionally, the malware knows of DNS filtering services due to its scanning of the network interfaces on the infected machine.

Furtim also blocks access to nearly 250 security related sites, including anti-virus update sites and technical help destinations by replacing Windows’ hosts file, the researchers discovered (the list of blocked domains is available on Breaking Malware).

Advertisement. Scroll to continue reading.

If no threat (anti-malware product) is found on the compromised machine, Furtim reads an encrypted hard-coded part of itself, decrypts it and writes it to the disk as a user-mode executable named “rdpinst.exe,” while also adding it to the registry RunOnce. The malware also takes a series of measures to ensure that the RunOnce key is not ignored by the Group policy and uses various Windows tools to enforce normal boot sequence, a very rare behavior for malware.

The newly dropped binary makes changes to the registry, mainly to the Policies key values, to block the user from accessing the Command Line (cmd) and Task Manager, and also collects information about the PC, including computer name and Windows’ installation date. The information is then encrypted and sent to a Russian-domain server, which resolves to IP addresses located in Ukraine.

According to enSilo’s researcher, the server responds with 3 binary files to be launched by the executable. The first uses the powercfg configuration tool to disable automatic sleep mode and hibernation on the infected machine, the second is a Pony stealer, designed to steal saved passwords and credentials from various programs, while the third binary is file that gathers info on certain discovered processes and sends it to another Russian server.

This third file has yet to be fully analyzed by researchers, and the same applies to the malware’s actual infection method, which is supposedly different from the usual “double-click and infect,” Gottesman noted.

Related: Malware Leverages Windows “God Mode” for Persistency

Related: Gozi Banking Trojan Targets Windows 10’s Edge Browser

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.