New research is challenging what security researchers know about Furtim, a new malware strain that has been compared to Stuxnet because of its believed targeting of industrial controls in energy companies.
According to security experts at Damballa, Furtim and the recently discovered SFG malware are one in the same – only varying by a few lines of code that include the HTTP header information.
The research clarifies earlier investigations that distinguished Furtim and SFG as closely related, but separate malware strains. Researcher Don Jackson, senior threat researcher at Damballa, says further analysis shows that they are the same.
“The only difference between them is in the HTTP header. Those headers simply have different values and are chosen at random by the malware so that different builds of the same malware don’t look the same on the network,” Jackson said.
Jackson said additional research into Furtim/SFG shows that the malware is not singling out energy plants as targets, as previously thought, but is trying to infect any network in an attempt to steal user credentials.
“This malware is being distributed via a variety of different methods including drive-by downloads, malvertising and spam messages. It’s extremely opportunistic and not specifically targeting one sector over another. It’s just infecting Windows machines where ever it can find a way in,” Jackson said.
It was previous believed that Furtim/SFG was malware was designed to specifically target the energy sector. On July 12, a report by SentinelOne said a SFG dropper was targeting an unspecified European energy company. The company believed SFG was the work of a state-sponsored group that used the dropper as a first stage of a targeted attack where the Furtim malware was then downloaded.
On July 14, SentinelOne updated its research: “There has been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems. We want to emphasize that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target.”
Furtim/SFG’s principal mission was to avoid detection and execute privilege escalation exploits for patched Windows vulnerabilities (CVE-2014-4113 and CVE-2015-1701), as well as a bypass for Windows User Account Control (UAC), which limits user privileges.
“As far as the number and type of tactics this malware is really state of the art. It tries almost every trick that I’ve run across to stay hidden and being analyzed. It’s not nation-state level, but it is extremely well put together malware,” Jackson said.
Furtim was uncovered by security company enSilo, which published a report in May on the malware. The sample described by enSilo had three payloads: a power-saving configuration tool that disables sleep mode and hibernation on Windows machines in order to maintain command and control connections; the Pony malware, which steals credentials and sends them back to the attackers’ server; and an unknown payload that sends a list of security processes running on the machine to the command and control server, even though the malware has theoretically already wiped AV off the machine before installing itself.
According to Damballa researchers, the Furtim/SFG malware is being distributed by a version of the Fast Flux botnet that it is calling Dark Cloud via a Malware-as-a-Service relationship. Fast Flux uses a DNS technique used to hide criminal cybercrime activities by using an ever-changing network of compromised hosts acting as proxies.