Analyzing Furtim: Malware that Avoids Mass-Infection
Recently we came across a new malware strain, first discovered by @hFireF0X, and at point of discovery, it was not detected by any of the 56 anti-virus programs tested by VirusTotal service.
It is not yet known who is behind this malware, and as no string in the file disclosed its original name we code-named it “Furtim”, which is the Latin translation for “stealthy”. In fact, Furtim, as we’ll show, goes through great lengths to avoid being caught by security parties. For example, Furtim won’t install itself if it identifies on the target machine one of an extensive list of security products (both common and esoteric), sandbox or virtualization environments.
These threat actors would rather give up on a target, than take the chance of being exposed.
Given these interesting facts, we decided to perform a deep analysis of this new malware sample.
Furtim arrives as a binary file, originally named “native.dll”.
The file is a driver. It is supposed to be loaded by the kernel.
It weighs 295 KB and timestamped October 22, 2015.
Packing and protection
This sample does not come packed. It could be that this is attributed to the fact that driver packers are a lot less common than regular executable packers.
Protection mechanisms are in place, though.
Calls are made dynamically using a large structure that contains function pointers, strings are obfuscated and the binary contains other encrypted parts.
Anti-debugging is not present. It could be that the reason is that the debugging process for drivers is more complex, so Furtim’s authors simply chose not to integrate this malware-feature.
Running Furtim (directly)
We use Windows’ sc tool to create a service for our driver.
Initially we tried to run it in Kernel mode using:
sc create native binPath= native.dll type= kernel
The command returns an error and appears to do nothing to little.
Running Furtim (with a debugger this time)
Let’s decide now to let the sample do some of its work under the context of a debugger.
First, we’ll change the first byte of the program to an INT 3 instruction, opcode 0xCC.
Then we’ll attach Windbg in kernel debugging mode to the machine. Finally, we can run the sample using the sc tool again:
sc start native
… And the debugger stops at the entry point.
Structure handling and string deobfuscation
Using IDA, we can see the big constructor-like function that built the global structure used for function calls. Note that not only imported function pointers are placed in this struct but it is also used for local calls, making IDA’s cross-reference view useless at the beginning.
We can also see the loop that decrypts strings.
Letting these two important parts run reveals plaintext strings and a struct full of function pointers.
How Furtim avoids security products
The strings bring us to understand what this sample is looking for.
In a nutshell, Furtim searches the infected machine for any trace of a security program. The authors went to great lengths by including no less than 400 registry entries or service executable names of security programs. These include the well-known ones and also very rare, some on the verge of esoteric programs. The code screenshot below includes a snapshot of some of these registry key names.
If one of these programs is found, and sometimes even a trace of it is enough, the sample quits.
Virtualization environments are also checked thoroughly. Furtim is aware of all major virtualization and sandboxing environments and will not run if one of them is detected.
We’ve also noticed that Furtim is aware to DNS filtering services due to its scanning of the network interfaces on the infected machine, and replacing any known filtering nameserver to public nameservers offered by Google and Level3 Communications.
Finally, access to nearly 250 security related sites, such as AV update sites, are blocked by replacing Windows’ hosts file (the actual list of blocked sites appears at the end of this post). The blocked sites list also includes technical help sites such as BleepingComputer.com.
If Furtim decides that no threat of exposure is present on the victim machine, it will read an encrypted hard-coded part of itself, decrypt it and write it to the disk.
This file is an ordinary user-mode executable named “rdpinst.exe”.
The dumped file will be added to the registry RunOnce key:
Certain measures are taken in order to ensure that the RunOnce key is not ignored by the Group policy and normal boot sequence is enforced using various Windows’ tools. This kind of behavior is very rare for malware, indicating that the developers were very thorough in their attack plan.
In certain situations the malware will also call for a system reboot following this installation.
Stealth is again top-priority.
The new dropped binary runs and immediately commits some changes to the registry, mainly to the Policies key values. This effectively blocks the user from accessing the command line and task manager, tools that may reveal the malware’s process running the background or may provide means to kill it.
rdpinst.exe collects unique information about the machine it is running on, such as computer name and Windows’ installation date, encrypts them and sends them to a Russian-domain server. Testing the Russian domain resolves to quite a few IP addresses, most of which are located in the Ukraine.
The request sent contains the “Accept-Language” header which is set to “ru” (for Russian) which further points to the direction of this malware’s origin. It is important to note, however, that relying on attributes, such as IP and Language, is never certain.
Communication with the server is done over HTTP and data is encrypted using RC2 Algorithm with a predefined key.
The server stores the received details about the infected machine to ensure that the payload is sent only once. In fact, even if the infected machine sends the unique information from a different IP, the C&C server will know not to re-send this payload and will return 404 error on any of these subsequent requests. This is possibly done to prevent security researchers and AV companies trying to collect the samples from the server by repeating previous requests or running the sample multiple times.
The server then responds with the following 3 binary files to be executed by the dropped executable.
File #1: Power Saving Configuration
Availability is also important to the authors.
The first downloaded binary uses the powercfg configuration tool to change the power saving features of the infected machine. Automatic sleep mode and hibernation are disabled to ensure the system is always up and running unless manually shut down by a user.
On the face of it, if the power configurations are changed, a security savvy person would notice. However, the threat actors considered that if they’ve already reached this stage, then the user is less security-conscious.
File #2: Pony Stealer
The second binary is downloaded from a server in UK. It is named Pony20.exe and as its name implies, it contains “Pony Stealer”. This malware is a run-once type, it steals saved passwords and credentials from various installed programs and sends them back to a server where they are conveniently organized in a searchable web platform for easy access.
File #3: Yet to be resolved
We do know that a third binary is downloaded. It is identified as generic by certain AVs, possibly due to the fact that it is packed. We have yet to analyze it to completely understand what it does. We do know though, that it communicates back a list of certain discovered processes to another Russian server. These processes belong to virtualization environments and security products. On the face of it, Furtim would not have installed were these processes in place, however, this double check is done as a second precautionary step.
We’ll update once we figure out this missing part.
Conclusion and thoughts
The fact that Furtim has to be installed suggests that an infection method other than the usual “double-click and infect” method was used.
It seems that this malware goes to great lengths to remain stealthy and undetected. It is obvious that these threat actors would rather avoid infecting a target than taking the chance of exposure.
The low detection rate of VirusTotal can be considered at least a partial success in this field.
Sites Blocked by Furtim