Stealthy Malware Goes to Extreme

Thursday, May 19, 2016 @ 04:05 PM gHale


Stealth mode is the name of the game for malware; get in, get out and avoid any kind of detection whatsoever.

That is the goal of any malware developer and there is now one out there that appears to be head and shoulders above the rest.

RELATED STORIES
Ransomware Decryption Tool Updated
Ransomware Knocks Out Entire PC
New Attack Approach for Revised Ransomware
Ransomware Infections Continue Growth

Furtim malware, which means stealthy in Latin, goes to great lengths to avoid being caught, Yotam Gottesman, senior security researcher at enSilo, said in a blog post.

The malware includes checks for 400 security products, he said. “These include the well-known ones and also very rare, some on the verge of esoteric programs,” Gottesman said.

Should any of the products on the list end up discovered on the targeted computer, the malware terminates itself.

Built to target Windows computers, the malware was first discovered by a researcher that goes by the name of @hFireF0X, who noticed that none of the 56 antivirus programs tested by VirusTotal service detected the new threat. It’s unclear who is behind the malware as of now, but it is clear the attacker would abort infection rather than being caught.

Furtim is a binary file named “native.dll,” which is a driver supposedly meant to load by the kernel, researchers said. The analyzed sample was 295 KB in size, compiled on October 22, 2015, and came unpacked, although it did show protection mechanisms.

Gottesman said strings in the sample end up obfuscated, the binary contains other encrypted parts, and calls occur dynamically through a large structure that contains function pointers, albeit anti-debugging protection is not present.

The malicious program also checks for virtualization environments, being aware of all major virtualization and sandboxing products and avoiding them. Additionally, the malware knows of DNS filtering services due to its scanning of the network interfaces on the infected machine.

Furtim also blocks access to nearly 250 security related sites, including antivirus update sites and technical help destinations by replacing Windows’ hosts file, the researchers said.

If no anti-malware is on the compromised machine, Furtim reads an encrypted hard-coded part of itself, decrypts it and writes it to the disk as a user-mode executable named “rdpinst.exe,” while also adding it to the registry RunOnce. The malware also takes a series of measures to ensure the RunOnce key is not ignored by the Group policy and uses various Windows tools to enforce normal boot sequence, a very rare behavior for malware.