Overview

Recently we came across a new malware strain, first discovered by @hFireF0X, and at point of discovery, it was not detected by any of the 56 anti-virus programs tested by VirusTotal service.

It is not yet known who is behind this malware, and as no string in the file disclosed its original name we code-named it “Furtim”, which is the Latin translation for “stealthy”. In fact, Furtim, as we’ll show, goes through great lengths to avoid being caught by security parties. For example, Furtim won’t install itself if it identifies on the target machine one of an extensive list of security products (both common and esoteric), sandbox or virtualization environments.

These threat actors would rather give up on a target, than take the chance of being exposed.

Given these interesting facts, we decided to perform a deep analysis of this new malware sample.

Initial Look

Furtim arrives as a binary file, originally named “native.dll”.

The file is a driver. It is supposed to be loaded by the kernel.

It weighs 295 KB and timestamped October 22, 2015.

Packing and protection

This sample does not come packed. It could be that this is attributed to the fact that driver packers are a lot less common than regular executable packers.

Protection mechanisms are in place, though.

Calls are made dynamically using a large structure that contains function pointers, strings are obfuscated and the binary contains other encrypted parts.

Anti-debugging is not present. It could be that the reason is that the debugging process for drivers is more complex, so Furtim’s authors simply chose not to integrate this malware-feature.

Running Furtim (directly)

We use Windows’ sc tool to create a service for our driver.

Initially we tried to run it in Kernel mode using:

sc create native binPath= native.dll type= kernel

The command returns an error and appears to do nothing to little.

Running Furtim (with a debugger this time)

Let’s decide now to let the sample do some of its work under the context of a debugger.

First, we’ll change the first byte of the program to an INT 3 instruction, opcode 0xCC.

Then we’ll attach Windbg in kernel debugging mode to the machine. Finally, we can run the sample using the sc tool again:

sc start native

… And the debugger stops at the entry point.

Structure handling and string deobfuscation

Using IDA, we can see the big constructor-like function that built the global structure used for function calls. Note that not only imported function pointers are placed in this struct but it is also used for local calls, making IDA’s cross-reference view useless at the beginning.

We can also see the loop that decrypts strings.

Letting these two important parts run reveals plaintext strings and a struct full of function pointers.

How Furtim avoids security products

The strings bring us to understand what this sample is looking for.

In a nutshell, Furtim searches the infected machine for any trace of a security program. The authors went to great lengths by including no less than 400 registry entries or service executable names of security programs. These include the well-known ones and also very rare, some on the verge of esoteric programs. The code screenshot below includes a snapshot of some of these registry key names.
If one of these programs is found, and sometimes even a trace of it is enough, the sample quits.

Virtualization environments are also checked thoroughly. Furtim is aware of all major virtualization and sandboxing environments and will not run if one of them is detected.

We’ve also noticed that Furtim is aware to DNS filtering services due to its scanning of the network interfaces on the infected machine, and replacing any known filtering nameserver to public nameservers offered by Google and Level3 Communications.

Finally, access to nearly 250 security related sites, such as AV update sites, are blocked by replacing Windows’ hosts file (the actual list of blocked sites appears at the end of this post). The blocked sites list also includes technical help sites such as BleepingComputer.com.

Decrypting code

If Furtim decides that no threat of exposure is present on the victim machine, it will read an encrypted hard-coded part of itself, decrypt it and write it to the disk.

This file is an ordinary user-mode executable named “rdpinst.exe”.

The dumped file will be added to the registry RunOnce key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce

Certain measures are taken in order to ensure that the RunOnce key is not ignored by the Group policy and normal boot sequence is enforced using various Windows’ tools. This kind of behavior is very rare for malware, indicating that the developers were very thorough in their attack plan.

In certain situations the malware will also call for a system reboot following this installation.

Dropped binary

Stealth is again top-priority.

The new dropped binary runs and immediately commits some changes to the registry, mainly to the Policies key values. This effectively blocks the user from accessing the command line and task manager, tools that may reveal the malware’s process running the background or may provide means to kill it.

rdpinst.exe collects unique information about the machine it is running on, such as computer name and Windows’ installation date, encrypts them and sends them to a Russian-domain server. Testing the Russian domain resolves to quite a few IP addresses, most of which are located in the Ukraine.

The request sent contains the “Accept-Language” header which is set to “ru” (for Russian) which further points to the direction of this malware’s origin. It is important to note, however, that relying on attributes, such as IP and Language, is never certain.

Communication with the server is done over HTTP and data is encrypted using RC2 Algorithm with a predefined key.

The server stores the received details about the infected machine to ensure that the payload is sent only once. In fact, even if the infected machine sends the unique information from a different IP, the C&C server will know not to re-send this payload and will return 404 error on any of these subsequent requests. This is possibly done to prevent security researchers and AV companies trying to collect the samples from the server by repeating previous requests or running the sample multiple times.

The server then responds with the following 3 binary files to be executed by the dropped executable.

File #1: Power Saving Configuration

Availability is also important to the authors.

The first downloaded binary uses the powercfg configuration tool to change the power saving features of the infected machine. Automatic sleep mode and hibernation are disabled to ensure the system is always up and running unless manually shut down by a user.

On the face of it, if the power configurations are changed, a security savvy person would notice. However, the threat actors considered that if they’ve already reached this stage, then the user is less security-conscious.

File #2: Pony Stealer

The second binary is downloaded from a server in UK. It is named Pony20.exe and as its name implies, it contains “Pony Stealer”. This malware is a run-once type, it steals saved passwords and credentials from various installed programs and sends them back to a server where they are conveniently organized in a searchable web platform for easy access.

File #3: Yet to be resolved

We do know that a third binary is downloaded. It is identified as generic by certain AVs, possibly due to the fact that it is packed. We have yet to analyze it to completely understand what it does. We do know though, that it communicates back a list of certain discovered processes to another Russian server. These processes belong to virtualization environments and security products. On the face of it, Furtim would not have installed were these processes in place, however, this double check is done as a second precautionary step.

We’ll update once we figure out this missing part.

Conclusion and thoughts

The fact that Furtim has to be installed suggests that an infection method other than the usual “double-click and infect” method was used.

It seems that this malware goes to great lengths to remain stealthy and undetected. It is obvious that these threat actors would rather avoid infecting a target than taking the chance of exposure.

The low detection rate of VirusTotal can be considered at least a partial success in this field.

Sites Blocked by Furtim

account.norton.com

www.gmer.net

www.yeabests.cc

bleepingcomputer.com

www.bleepingcomputer.com

malekal.com

www.malekal.com

accounts.comodo.com

activation.adtrustmedia.com

activation-v2.kaspersky.com

auth.ff.avast.com

avstats.avira.com

backup1.bullguard.com

buddy.bitdefender.com

c2.dev.drweb.com

antivirus.baidu.com

cdn.static.malwarebytes.org

csasmain.symantec.com

definitionsbd.lavasoft.com

dm.kaspersky-labs.com

dnsscan.shadowserver.org

download.bitdefender.com

download.bullguard.com

download.comodo.com

download.eset.com

download.geo.drweb.com

downloadnada.lavasoft.com

downloads.comodo.com

downloads.lavasoft.com

www.reasoncoresecurity.com

reasoncoresecurity.com

drweb.com

ec.sunbeltsoftware.com

emupdate.avast.com

esetnod32.ru

zillya.ua

www.zillya.ua

expire.eset.com

gms.ahnlab.com

go.eset.eu

i1.c.eset.com

i2.c.eset.com

i3.c.eset.com

i4.c.eset.com

iploc.eset.com

ipm.avira.com

ipm.bitdefender.com

ksn4-12.kaspersky-labs.com

ksn-file-geo.kaspersky-labs.com

ksn-info-geo.kaspersky-labs.com

ksn-ipm-1.kaspersky-labs.com

ksn-kas-geo.kaspersky-labs.com

ksn-kddi.kaspersky-labs.com

ksn-pbs-geo.kaspersky-labs.com

ksn-stat-geo.kaspersky-labs.com

ksn-tboot-1.kaspersky-labs.com

ksn-tcert-geo.kaspersky-labs.com

ksn-tpcert-1.kaspersky-labs.com

ksn-url-geo.kaspersky-labs.com

ksn-verdict-geo.kaspersky-labs.com

licenseactivation.security.comodo.com

license.avira.com

license.nanoav.ru

license.trustport.com

licensing.security.comodo.com

login.bullguard.com

login.norton.com

metrics.bitdefender.com

mirror01.gdata.de

my.bitdefender.com

newton.norman.com

nimbus.bitdefender.net

niufour.norman.no

niuone.norman.no

niuseven.norman.no

o2.norton.com

omni.avg.com

oms.symantec.com

p003.sb.avast.com

p.filseclab.com

www.filseclab.com

ping.avast.com

premium.avira-update.com

program.avast.com

proxy.eset.com

redirect.avira.com

reg03.eset.com

register.k7computing.com

resolver1.bullguard.ctmail.com

resolver2.bullguard.ctmail.com

resolver3.bullguard.ctmail.com

resolver4.bullguard.ctmail.com

resolver5.bullguard.ctmail.com

rol.pandasecurity.com

360totalsecurity.com

www.360totalsecurity.com

secure.comodo.net

shasta-rrs.symantec.com

shop.esetnod32.ru

slcw.ff.avast.com

spoc-pool-gtm.norton.com

s.program.avast.com

static2.avast.com

static.avg.com

stats.norton.com

stats.qalabs.symantec.com

store.lavasoft.com

su.ff.avast.com

support.norton.com

symantec.tt.omtrdc.net

threatnet.threattrack.com

trace.eset.com

tracking.lavasoft.com

ts-crl.ws.symantec.com

ts.eset.com

uc.cloud.avg.com

um01.eset.com

um21.eset.com

update2.bullguard.com

update.avg.com

update.bullguard.com

update.eset.com

updates.agnitum.com

updates.k7computing.com

updates.sunbeltsoftware.com

upgrade.bitdefender.com

upgr-mmxiii-p.cdn.bitdefender.net

upgr-mmxiv.cdn.bitdefender.net

v7.stats.avast.com

versioncheck.eset.com

vl.ff.avast.com

wam.pandasecurity.com

webprot.avgate.net

webprot.avira.com

webprot.avira.de

wsmy.pandasecurity.com

www5.avira.com

www.avira.com

download.sp.f-secure.com

www.bullguard.com

www.esetnod32.ru

www.k7-russia.ru

www.lavasoft.com

www.mks.com.pl

www.nanoav.ru

www.pandasecurity.com

www-secure.symantec.com

www.sunbeltsoftware.com

www.trustport.com

kaspersky.ru

www.kaspersky.ru

avast.ru

www.avast.ru

freeavg.com

www.freeavg.com

free.avg.com

www.free.avg.com

avira.com

z-oleg.com

www.z-oleg.com

bitdefender.com

www.bitdefender.com

bullguard.com

personalfirewall.comodo.com

www.personalfirewall.comodo.com

comodo.com

www.comodo.com

www.drweb.com

www.emsisoft.ru

emsisoft.ru

avescan.ru

www.avescan.ru

escanav.com

www.escanav.com

escan.com

www.escan.com

f-prot.com

www.f-prot.com

f-secure.com

www.f-secure.com

gdatasoftware.com

ru.gdatasoftware.com

www.gdata.de

gdata.de

ikarussecurity.com

www.ikarussecurity.com

malwarebytes.org

www.malwarebytes.org

nanoav.ru

symantec.com

www.symantec.com

norton.com

www.norton.com

ru.norton.com

agnitum.ru

www.agnitum.ru

cloudantivirus.com

www.cloudantivirus.com

pandasecurity.com

www.rising.com.cn

rising.com.cn

rising-global.com

www.rising-global.com

www.rising-russia.com

rising-russia.com

freerav.com

www.freerav.com

safensoft.ru

www.safensoft.ru

trustport.com

www.trustport-ru.ru

virustotal.com

www.virustotal.com

zillya.com

www.zillya.com

anti-virus.by

www.anti-virus.by

sophos.com

www.sophos.com

www.freedrweb.com

freedrweb.com

www.avirus.ru

www.avg.com

avg.com

mcafee.com

www.mcafee.com

siteadvisor.com

www.siteadvisor.com

support.kaspersky.ru

www.comss.ru

comss.ru

www.spyware-ru.com

spyware-ru.com

virusinfo.info

www.virusinfo.info

forum.esetnod32.ru

www.forum.esetnod32.ru

forum.drweb.com

www.forum.drweb.com

forum.virlab.info

www.forum.virlab.info

spybot.info

www.spybot.info

winpatrol.com

www.quickheal.com

quickheal.com

www.winpatrol.com

av.download.avg.com

 

The post Analyzing Furtim: Malware that Avoids Mass-Infection appeared first on Breaking Malware.