SFG, a member of the Furtim malware family, was until now believed to be specifically targeting European energy companies but as it turns out its real purpose is much more focused on stealing passwords and money instead.
Furtim was first detected in May, and then it was thought that the malware was developed to check for 400 anti-virus programs` traces on the infected system and to block access to almost 250 security sites. It was also indicated that Furtim worked as a dropper using binaries such as Pony info-stealer allowing it to steal users` passwords and documents and to deliver them to the attackers.
According to SentinesOne`s report, there was a chance that SFG is a state-sponsored tool which can be used to block an entire energy grid. Guided by the fact that the main targets of the malware were two well-known exploits (CVE-2014-4113 and CVE-2015-1701) and one UAC bypass, the researchers came to a conclusion that it is a case cybercriminals could not be held responsible for, but it might have been a work of “developers with high-level skills”.
What misled the researchers were the proficient anti-detection mechanisms that SGF was packing, which were first introduced by the Senior Security Researcher at enSilo, Yotam Gottesman. Although the huge number of anti-virus programs on Furtim`s list seems to focus on remaining stealthy, the real purpose of the malware is completely different.
When a detailed analysis of SFG was done by a SentinesOne`s specialist, it appeared that what was missing was any proof that ICS or SCADA systems were ever on the malware`s list as thought. Here comes the conclusion that Furtim is not interested in the energy or any other particular sector as security firm Damballa stated. This was confirmed shortly after, when a blog revealed over 15,000 infected hosts all over the world which was a clear evidence that the malware was mistaken at first and then exposed its real purpose.
Hereupon, updates were made in the SentinelOne`s blog stating that in fact there is no proof that the attack they analyzed was actually against SCADA energy system. They pointed out that the focus was more on the malware`s characteristics and not on the target or attribution. However, they still believe that SFG “likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe” unlike Damballa according to which SFG “has nothing to do with state-sponsored actors, but is instead highly connected to the cyber-crime world”.
Moreover, the security firm states that Furtim borrows the same well-known financially-incentivized tools used by infamous malware families like ransomware, bonnets, banking Trojans and info-stealers. They even succeeded in linking SFG to a fast-flux proxy-based network, called Dark Cloud or Fluxxy, which is considered to be “the most damaging one”.