The SentinelOne security experts have registered a malware campaign which targeted at least one European energy company. The new campaign included a great number of tools hardly seen in ordinary malware samples.
The most intriguing detail related to the malware’s code was the fact that its developers spent a significant amount of time to make sure that their threat wouldn’t raise any flags on infected hosts. Usually, such level of attention is found in the malware used by nation states. The researchers from SentinelOne think that behind this malware is most likely a threat actor residing in Eastern Europe, who they called Furtim’s Parent.
Furtim is a trojan which was found in May, this year, by the security company enSilo. According to the security experts, the trojan featured a massive amount of anti-AV checks. Furtim stopped execution if it found one of 400 security products and intercepted DNS requests for over 250 domains associated with security companies and their products.
Identically to the original Furtim, Furtim’s Parent features these checks. The malware checks for the presence of reverse engineering tools, security products, and uses local DNS hijacking techniques to intercept HTTP requests to security-related domains.
Nevertheless, the above-mentioned checks are present in many other malware families. The thing that was really strange in this case, was the presence of checks for biometric authentication products, such as fingerprint readers or iris scanners. If any of these products were found, Furtim’s Parent would stop execution. ZKTeco is among the particular biometrics vendors currently targeted by the malware.
Furtim’s Parent is rather different from its day-to-day brothers due to the fact that it doesn’t operate on the same level as the others. The experts from SentinelOne claim that Furtim’s Parent works as an NTFS Alternative Data Stream (ADS) and it won’t be visible to normal file browsers. Besides, by using low-level Windows APIs usually utilized by drivers, Furtim’s Parent manages to evade detection by software products which employ behavioral detection routines.
Also, in order to function, the malware employs a UAC bypass and two local privilege escalation exploits (CVE-2014- 4113 and CVE-2015-1701) to gain admin privileges. After that, Furtim’s Parent elevates the current user to the admin group and moves on with its regular behavior.
According to SentinelOne, Furtim’s Parent is a malware dropper – a category of malware which is usually employed to download more potent threats. Despite the fact that the particular sample was found in the network of an energy company, the Furtim’s features allow it to be effective in other environments as well.
According to the SentinelOne’s analysis, Furtim’s Parent does not come from a regular cyber-crime syndicates, but from a nation-state sponsored group which has enough time and resources to develop the tool for specific environments and puts a huge amount of effort to remain undetected.