Clever new credential-thief aces Latin and flunks VirusTotal tests
‘By stealth’ in Latin is Furtim. There has emerged a malware which can steal credentials though as yet has a VirusTotal detection of zero percent (yes – 0.0%). Recently spotted by researchers, this malware consists of a driver, downloader and three payloads. And its method is ultra-stealth.
The thief’s payloads are a configuration tool to save power and still maintain contact with the command and control server (C&C); Pony Stealer – a high-powered credential collector, and the third file that communicates with the C&C – this is still being analyzed. Furtim goes beyond the scope of most malware to stay covert, and checks for over 400 security applications on the targeted system. More than this, it sets about blocking access to 250 security ‘sites that could be a threat to it; this is done by the replacement of Windows’ host file. DNS filtering is avoided by changing filtering nameservers that are known into public nameservers.
Furtim will override reboot policy ensuring that the payloads will run; it blocks user access to the command line and Task Manager to avoid its process being terminated; it disables Windows pop-ups and notifications. And just to be cautious, Furtim’s C&C will only send the payloads one time to stop the server being traced/analyzed. All-in-all, one very busy – and very shy – piece of malware.
The goal of the malware is not certain, though researchers comment that Pony Stealer is an effective tool for lateral transitions in an attack which is targeted; it could be that this release is part of a bigger campaign. “Given the defense measures that Furtim takes, we can imagine that Furtim is more than a downloader used by common fraudsters. The threat actors behind Furtim were dedicated, knowing that it’s worth to remain stealthy, even on the expense of hitting more targets, than being revealed,” concluded Yotam Gottesman, one of the researchers analyzing the malware.
He added that the C&C is Russian-hosted and connected to several Ukrainian IP addresses. Communication configurations are for Russian. The chief officer at Carbon Black security likened the hackers of today more to secret agents than bank robbers with their degrees of stealth and evasion: “This is precisely why it’s so vital that organizations have continuous monitoring running on all endpoint devices, as that’s the only sure-fire way to capture the entire ‘kill chain’ of a successful attack so it can be traced back to where it came in and shut out completely“.
Summarizing, he added, ‘It’s also another reminder of why we need to get out there and start proactively threat hunting, so we can identify any similar breeds of sneaky malware sitting on our systems undetected’.