May 19, 2016 By Larry Loeb 2 min read

Breaking Malware recently published an analysis of a new malware called Furtim. Its name is derived from the Latin term for stealthy — and that’s exactly how it acts.

Furtim attacks Windows machines. It won’t install itself if it identifies any one of an extensive list of security products present or if it finds itself in a sandbox or virtualized environment, according to the analysis. That’s a behavior pattern that has never been seen in malware. This reticence to install itself may be why it was not detected by any of the 56 antivirus programs surveyed by VirusTotal.

More About the Malware

Furtim is deployed as a binary file named native.dll; this is a driver meant to be loaded by the kernel. Although the analyzed sample came unpacked, it did show protection mechanisms. Breaking Malware postulated that it came unpacked because driver packers are a lot less common than regular executable packers.

The security programs it searches for include the well-known ones as well as products that are comparatively rare. If any of these programs or found — or even a trace of them sniffed — Furtim stops dead.

Furtim Goes to Town

Once it feels safe, the malware reads an encrypted, hard-coded part of itself, decrypts it and then writes it to the disk. This is added to the registry’s RunOnce key.

It runs and immediately changes the registry’s policies key values. This blocks the user from accessing the command line and task manager. It then collects unique information about the machine, such as the computer name and Windows installation date. It encrypts this information and sends it to a Russian server, SecurityWeek summarized.

The next step involves three binaries downloaded by the executable, according to the analysis. The first binary keeps the machine on constantly by changing the power settings; the second steals saved passwords and credentials from the installed programs and sends them back to a server; and a third downloaded binary has yet to be fully understood.

Once installed, it will gather some passwords but not much else; it’s a lot of work for little reward.

What’s Going on Here?

The exact purpose of Furtim remains unknown, but it takes extreme precautions to avoid detection. It may be a proof of concept for an installer that is related to some other malware that has yet to be deployed.

This malware is not done evolving. Vigilance will be needed to detect and understand it and its successors.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today