A security researcher that goes online only by the nickname of FireFOX (@hFireF0X) has discovered and analyzed a unique malware family that pays a lot of attention to remaining undetected, and not to having great features or efficient data exfiltration procedures.
The researcher named the malware Furtim, the Latin word for “stealthy” and tracked down some of its command & control servers to a Russian domain, which resolves back to a Ukrainian IP.
At the time of his analysis, despite managing to break down a large part of Furtim’s mode of operation, FireFOX didn’t manage to discover how crooks are spreading the malware, how it gains an initial foothold on the infected devices, or what kind of targets it is seeking.
Furtim, a.k.a. “the paranoid malware”
FireFOX also noted something different about Furtim that he didn’t see in other types of malware. Furtim paid a lot of attention, actually more than it should, to avoiding getting detected by security products.
During its installation, the malware would check for the presence of virtualized or sandboxed environments, tools which security researchers use for malware debugging.
Additionally, Furtim also includes filters for over 400 security products. If it finds at least one of these installed on the PC, Furtim aborts the installation.
After it has set up itself, the malware blocks DNS filtering services by replacing DNS servers with public IPs provided by Google and Level3 Communications, and also blocks users from accessing nearly 250 websites from the infosec domain.
Furtim is really, really, really paranoid
But the self-defense mechanism doesn’t stop here, though, because Furtim also disables the Windows notification and pop-up mechanisms, and his access to the command line and the Task Manager.
After Furtim feels comfortable within its infected environment, it collects data from the infected device and sends it to the server.
The server uses this data to identify between its targets and also deliver the final payloads since Furtim is only a malware downloader, a stepping stone for more dangerous threats.
FireFOX noticed that the server sent the malware payloads only once to each target, a tactic also employed to make reverse engineering by security researchers much harder.
Furtim delivers the Pony infostealer and another unknown payload
The final payload is actually made up of three files. The first is a power configuration file for the infected computer that removes sleep mode and hibernation settings.
The second is the Pony infostealer, malware specialized in stealing all kinds of sensitive data, from FTP and email client credentials to browser history and stored passwords.
The third and final payload is currently unknown, FireFOX saying he wasn’t able to crack it.
“We do know that a third binary is downloaded. It is identified as generic by certain AVs, possibly due to the fact that it is packed. We have yet to analyze it to completely understand what it does,” FireFOX. “We do know though, that it communicates back a list of certain discovered processes to another Russian server.”
With all these data exfiltration features and focus on stealth, Furtim sure looks like the spawn of a cyber-espionage group, even if FireFOX didn’t say so. Coincidentally or not, at the time of publishing, FireFOX’s blog went mysteriously offline just a few hours after publishing his research. DDoS attack? Maybe. But it sure looks like someone doesn’t want the world to know about Furtim.