A malware dropper with designs on specific targets was found in a private underground forum and is likely the predecessor to the Furtim malware that was uncovered in May.
Researchers at SentinelOne today published a report that says the dropper sample they investigated, which they’re calling SFG, was built to target at least one unnamed European energy company. The report says the dropper is likely the work of a state-sponsored group and is used as the first stage of targeted attacks.
The dropper’s principle mission is to avoid detection; it will not execute if it senses it’s being run in a virtualized environment such as a sandbox, and it also can bypass antivirus protection running on compromised machines.
The sample also includes a pair of privilege escalation exploits for patched Windows vulnerabilities (CVE-2014-4113 and CVE-2015-1701), as well as a bypass for Windows User Account Control (UAC), which limits user privileges.
“It escalates privileges after all these checks and registers a hidden binary that it drops onto the hard drive that runs early in the boot process,” SentinelOne senior security researcher Joseph Landry said. “It will go through and systematically remove any AV on the machine that it targets. Then it drops another payload to the Windows directory and runs it during login time.”
In this one sample, Landry said, the dropper sets the stage for the installation of the Furtim malware. Furtim was uncovered by security company enSilo, which published a report in May on the malware. The sample described by enSilo had three payloads: a power-saving configuration tool that disables sleep mode and hibernation on Windows machines in order to maintain command and control connections; the Pony malware, which steals credentials and sends them back to the attackers’ server; and an unknown payload that sends a list of security processes running on the machine to the command and control server, even though the malware has theoretically already wiped AV off the machine before installing itself. In the case of the sample found by SentinelOne, its command and control servers are already offline and it’s unknown what other payloads and commands it could handle. Landry said this is the first stage of a bigger attack.
“This gives them a point on the network from where they can then pivot and attack other systems or do recon from,” Landry said. “We’re not seeing anything it’s attacking, but this is where initial implant would be. They would be able to run whatever code without AV chirping.”
Udi Shamir, chief security officer at SentinelOne, said he’s unaware of how many victims there may be.
“I don’t have an exact numbers on the infection magnitude, but this sample was developed for more targeted attacks rather than high infection volume (still, this is an estimation),” he said. “This sample seems to target large enterprise organizations, and has probably already infected a few.”
Since the code burrows itself in the startup much like a rootkit, Landry said it would be difficult to remove.
“This is very professional, not just the techniques used to wipe AV, but the code is professional,” Landry said. “The APIs here are very low level and not normally public. This was built by someone who really understands how Windows works, and how it has changed over the last few years. It’s very likely a nation-state deal. Criminals don’t need it to be this effective.”