Connect with us

Hi, what are you looking for?


Malware & Threats

Windows Malware Tries to Avoid 400 Security Products

Malware authors are constantly trying to build their malicious files to remain undetected by security products and pack their malicious programs with anti-virus detection capabilities, but the newly observed “Furtim” malware is one of a kind in this regard.

Malware authors are constantly trying to build their malicious files to remain undetected by security products and pack their malicious programs with anti-virus detection capabilities, but the newly observed “Furtim” malware is one of a kind in this regard.

The malware’s name comes from Latin and means “stealthy,” Yotam Gottesman, a Senior Security Researcher at enSilo explains, adding that the program goes through great lengths to avoid being caught by security parties: it includes checks for 400 security products. Should any of the products on this extensive list be found on the targeted machine, the malware terminates itself and leaves the computer unharmed.

Built to target Windows computers, the malware was first discovered by a researcher that goes by the name of @hFireF0X, who noticed that none of the 56 anti-virus programs tested by VirusTotal service detected the new threat. It’s unclear who is behind the malware as of now, but it is clear that the actor would abort infection rather than being caught.

Furtim is deployed as a binary file named “native.dll,” which is a driver supposedly meant to be loaded by the kernel, researchers explain. The analyzed sample was 295 KB in size, was compiled on October 22, 2015, and came unpacked, although it did show protection mechanisms.

Gottesman explains that strings in the sample are obfuscated, the binary contains other encrypted parts, and calls are made dynamically through a large structure that contains function pointers, albeit anti-debugging protection is not present. The analysis revealed the structure for function calls and a loop that decrypts strings that, when run, reveal plaintext strings and a struct full of function pointers.

The most interesting part of the malware was its ability to search the infected machine for registry entries or service executable names of 400 security programs, including well-known and very rare products. As soon as traces of such a program are discovered on the compromised system, the malware terminates itself.

The malicious program also checks for virtualization environments, being aware of all major virtualization and sandboxing products and avoiding them. Additionally, the malware knows of DNS filtering services due to its scanning of the network interfaces on the infected machine.

Advertisement. Scroll to continue reading.

Furtim also blocks access to nearly 250 security related sites, including anti-virus update sites and technical help destinations by replacing Windows’ hosts file, the researchers discovered (the list of blocked domains is available on Breaking Malware).

If no threat (anti-malware product) is found on the compromised machine, Furtim reads an encrypted hard-coded part of itself, decrypts it and writes it to the disk as a user-mode executable named “rdpinst.exe,” while also adding it to the registry RunOnce. The malware also takes a series of measures to ensure that the RunOnce key is not ignored by the Group policy and uses various Windows tools to enforce normal boot sequence, a very rare behavior for malware.

The newly dropped binary makes changes to the registry, mainly to the Policies key values, to block the user from accessing the Command Line (cmd) and Task Manager, and also collects information about the PC, including computer name and Windows’ installation date. The information is then encrypted and sent to a Russian-domain server, which resolves to IP addresses located in Ukraine.

According to enSilo’s researcher, the server responds with 3 binary files to be launched by the executable. The first uses the powercfg configuration tool to disable automatic sleep mode and hibernation on the infected machine, the second is a Pony stealer, designed to steal saved passwords and credentials from various programs, while the third binary is file that gathers info on certain discovered processes and sends it to another Russian server.

This third file has yet to be fully analyzed by researchers, and the same applies to the malware’s actual infection method, which is supposedly different from the usual “double-click and infect,” Gottesman noted.

Related: Malware Leverages Windows “God Mode” for Persistency

Related: Gozi Banking Trojan Targets Windows 10’s Edge Browser

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.