14 DAY TRIAL // Security researchers from SentinelOne have stumbled upon a malware campaign targeting at least one European energy company, which features a large arsenal of tools rarely seen in ordinary malware samples.
The detail that particularly stood out as regards the malware's code was the fact that its creators spent a great amount of time to make sure their threat wouldn't raise any flags on infected hosts.
This level of detail and attention is usually found in the malware used by nation states. SentinelOne experts believe that a threat actor residing in Eastern Europe may have been behind this malware, which they dubbed Furtim's Parent.
Links to Furtim malware discovered in May 2016
Furtim is the name of a trojan discovered in May 2016 by security firm enSilo, which featured a massive amount of anti-AV checks. Furtim stopped execution if it found one of 400 security products and intercepted DNS requests for over 250 domains associated with security firms and their products.
Just like the original Furtim, Furtim's Parent features these checks. The malware checks for the presence of reverse engineering tools, security products, and also uses local DNS hijacking techniques to intercept HTTP requests to security-related domains.
But these checks are also present in many other malware families. What was strange was the presence of checks for biometric authentication products, like fingerprint readers or iris scanners. If any of these products were found, Furtim's Parent would stop execution. One particular biometrics vendor targeted by the malware is ZKTeco.
Furtim's Parent uses driver-level APIs
The malware is also very different from its day-to-day brothers because it doesn't operate on the same level as them. According to SentinelOne, Furtim's Parent works as an NTFS Alternative Data Stream (ADS) and won't be visible to normal file browsers.
Furthermore, by using low-level Windows APIs usually utilized by drivers, the malware also manages to evade detection by software products that employ behavioral detection routines.
But the malware doesn't stop here. In order to function, it also employs a UAC bypass and two local privilege escalation exploits (CVE-2014- 4113 and CVE-2015-1701) to gain admin privileges.
Furtim's Parent is a malware dropper
The malware then elevates the current user to the admin group and moves on with its regular behavior. SentinelOne says that Furtim's Parent is a malware dropper, a category of malware usually employed to download more potent threats.
While this particular sample was discovered in the network of a company in the energy sector, Furtim's features allow it to be as effective in other environments as well.
What's clear from SentinelOne's technical analysis of this threat is that this is not the work of regular cyber-crime syndicates, but of a nation-state sponsored group that has enough time and resources to develop the tool for specific environments (that deploy biometrics) and puts an absurd amount of effort into remaining undetected.