Malware authors are constantly trying to build their malicious files to remain undetected by security products and pack their malicious programs with anti-virus detection capabilities, but the newly observed “Furtim” malware is one of a kind in this regard.
The malware’s name comes from Latin and means “stealthy,” Yotam Gottesman, a Senior Security Researcher at enSilo explains, adding that the program goes through great lengths to avoid being caught by security parties: it includes checks for 400 security products. Should any of the products on this extensive list be found on the targeted machine, the malware terminates itself and leaves the computer unharmed.
Built to target Windows computers, the malware was first discovered by a researcher that goes by the name of @hFireF0X, who noticed that none of the 56 anti-virus programs tested by VirusTotal service detected the new threat. It’s unclear who is behind the malware as of now, but it is clear that the actor would abort infection rather than being caught.
Furtim is deployed as a binary file named “native.dll,” which is a driver supposedly meant to be loaded by the kernel, researchers explain. The analyzed sample was 295 KB in size, was compiled on October 22, 2015, and came unpacked, although it did show protection mechanisms.
Gottesman explains that strings in the sample are obfuscated, the binary contains other encrypted parts, and calls are made dynamically through a large structure that contains function pointers, albeit anti-debugging protection is not present. The analysis revealed the structure for function calls and a loop that decrypts strings that, when run, reveal plaintext strings and a struct full of function pointers.
The most interesting part of the malware was its ability to search the infected machine for registry entries or service executable names of 400 security programs, including well-known and very rare products. As soon as traces of such a program are discovered on the compromised system, the malware terminates itself.
The malicious program also checks for virtualization environments, being aware of all major virtualization and sandboxing products and avoiding them. Additionally, the malware knows of DNS filtering services due to its scanning of the network interfaces on the infected machine.
Furtim also blocks access to nearly 250 security related sites, including anti-virus update sites and technical help destinations by replacing Windows’ hosts file, the researchers discovered (the list of blocked domains is available on Breaking Malware).
If no threat (anti-malware product) is found on the compromised machine, Furtim reads an encrypted hard-coded part of itself, decrypts it and writes it to the disk as a user-mode executable named “rdpinst.exe,” while also adding it to the registry RunOnce. The malware also takes a series of measures to ensure that the RunOnce key is not ignored by the Group policy and uses various Windows tools to enforce normal boot sequence, a very rare behavior for malware.
The newly dropped binary makes changes to the registry, mainly to the Policies key values, to block the user from accessing the Command Line (cmd) and Task Manager, and also collects information about the PC, including computer name and Windows’ installation date. The information is then encrypted and sent to a Russian-domain server, which resolves to IP addresses located in Ukraine.
According to enSilo’s researcher, the server responds with 3 binary files to be launched by the executable. The first uses the powercfg configuration tool to disable automatic sleep mode and hibernation on the infected machine, the second is a Pony stealer, designed to steal saved passwords and credentials from various programs, while the third binary is file that gathers info on certain discovered processes and sends it to another Russian server.
This third file has yet to be fully analyzed by researchers, and the same applies to the malware’s actual infection method, which is supposedly different from the usual “double-click and infect,” Gottesman noted.