Experts Warn of Super-Stealthy Furtim Malware

Security experts are warning of newly discovered credential-stealing malware which prioritizes stealth, scoring a 0% detection rate in VirusTotal.

Furtim, a Latin word meaning “by stealth,” was first spotted by researcher @hFireF0X and consists of a driver, a downloader and three payloads, according to enSilo researcher Yotam Gottesman.

The payloads are: a power-saving configuration tool which ensures a victim’s machine is always on and communicating with Furtim’s C&C server; Pony Stealer – a powerful commercial credential stealer; and a third file that communicates back to the server but has yet to be fully analyzed.

Interestingly, Furtim goes to great lengths to stay hidden, going well beyond most malware in checking for the presence of over 400 security tools on the targeted PC, Gottesman claimed.

It blocks access to nearly 250 security-related sites by replacing Windows’ hosts file, and avoids DNS filtering services by scanning and replacing any known filtering nameserver to public nameservers.

Once installed, it will override any reboot policy to ensure downloaded payloads will run; disable Windows notifications and pop-ups; and block the user from accessing the command line and task manager, so they can’t kill any malicious processes, the enSilo researcher continued.

Also, the C&C server will only send the payload once to a specific machine, to avoid researchers trying to collect samples from the server.

It’s still not clear what purpose Furtim serves, although the Pony Stealer component would work well in the lateral movement stage of a targeted attack, it is claimed.

“Given the defense measures that Furtim takes, we can imagine that Furtim is more than a downloader used by common fraudsters. The threat actors behind Furtim were dedicated, knowing that it’s worth to remain stealthy, even on the expense of hitting more targets, than being revealed,” concluded Gottesman.

“We do know that the C&C server is hosted at a Russian domain, which resolves to several Ukrainian IP addresses. Additionally, communications are configured to accept Russian.”

Ben Johnson, chief security officer at Carbon Black, claimed hackers are more akin to secret agents than bank robbers today, in building malware to circumvent traditional filters.

“This is precisely why it’s so vital that organizations have continuous monitoring running on all endpoint devices, as that’s the only sure-fire way to capture the entire ‘kill chain’ of a successful attack so it can be traced back to where it came in and shut out completely,” he added.

“It’s also another reminder of why we need to get out there and start proactively threat hunting, so we can identify any similar breeds of sneaky malware sitting on our systems undetected.”

What’s Hot on Infosecurity Magazine?