MENU


M A Y 1 6, 2 0 1 6 B Y [Y O T A M G O T T E S M A N](http://blog.ensilo.com/author/yotam-gottesman)

## Furtim: The Ultra-Cautious Malware

[Tweet](https://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fblog.ensilo.com%2Ffurtim-the-ultra-cautious-malware&ref_src=twsrc%5Etfw&text=Furtim%3A%20The%20Ultra-Cautious%20Malware&tw_p=tweetbutton&url=http%3A%2F%2Fblog.ensilo.com%2Ffurtim-the-ultra-cautious-malware) **[Share](javascript:void(0);)** **221** **Like** **Share** 40 5

Furtim is the latest stealthy malware,

found in the wild, and its discovery is

credited to @hFireF0X.

Clearly, Furtim’s developers were more

interested in keeping their malware

hidden from security’s prying eyes than

hitting more targets. With stealth a key

component, we code-named this

downloader Furtim, the Latin translation for “stealthy”.

At time of its �nding, Furtim showed a 0% detection rate in VirusTotal, signifying that the

developers were awarded partial success in their attempt to remain hidden.

In our labs, we purposefully infected a computer to monitor Furtim’s activities on the device and

its communication with its Command & Control to understand its goals.

**/** enSilo's customers are protected from Furtim **/**


-----

# What are Furtim’s components?

A driver. The driver tests the target’s machine environment – for example, the processes

that it runs and the security programs that are installed.

A downloader. The downloader is the malware component that opens up the backdoor

for the following installation of malicious modules of the malware, aka the “payloads”. You

can consider the downloader as the malware socket, a placeholder that sets everything in

place so that when the threat actor decides that the time is ripe, the payload simply plugs

into it.

Three payloads. We found three malicious modules: a power con�guration change utility,

a stealer and a third �le that communicates back to a server. Details on these appear

below.

# What’s so unique about Furtim?

Furtim goes great lengths to ensure that it remains undercover. These measures show that

Furtim’s developers were very thorough in their activity, anticipating a campaign where they

can use Furtim throughout:

Prior to installation, Furtim checks whether the target machine includes any security

product, virtualized or sandboxed environment and foregoes installation if any is found.

In fact, Furtim tests the existence of these security parties against a monstrous-size list of

more than 400 items, from the obvious well-known products, to those on the verge of the

esoteric. While we have seen cases where downloaders and other malwares do not install

if other products are present, the list that Furtim tests against is beyond any typical

malware.

Furtim avoids DNS �ltering services by scanning the network interfaces on the infected

machine. If it �nds any of these services, it replaces any known �ltering nameserver to

public nameservers o�ered by Google and Level3 Communications.

Furtim blocks access to nearly 250 security related sites, such as AV update sites, by

replacing Windows' hosts �le. The blocked sites list also includes technical help sites such

as BleepingComputer.com.

Once installed, the target’s device has to be re-booted in order for Furtim to properly latch

into the system. At that stage, Furtim ensures that any re-boot policy on a machine, even

those de�ned by an administrator (aka “Group Policy”) is overridden so that downloaded

payloads will run.

On �rst run, Furtim does a few con�guration changes on its host system to block the user

from accessing the command line and task manager. These measures are taken to

prevent the possibility that these tools might reveal, or used to kill, the malicious

processes. In addition, Furtim disables Windows noti�cation and pop-up mechanisms.

Upon initial communication, Furtim collects unique information from the device it is

running on, such as the computer name and installation date and sends that information

to a speci�c server. The server stores the received details about the infected machine to

ens re that the pa load is sent onl once In fact e en if the infected machine sends the


-----

payload and will return 404 error on any of these subsequent requests. We believe that

this is done to prevent security researchers and AV companies trying to collect the

samples from the server by repeating previous requests or running the sample multiple

times.

# What are the payloads that Furtim

 accepts?

We have witnessed the following three payloads though it is possible that Furtim was

developed to accept more than just these three.

1. Power saving con�guration tool. The tool disables sleep mode and hibernation to ensure

that the system is always up and running unless manually shut down by a user. This way,

open communications with the C&C server is maintained.

2. A stealer, named Pony Stealer. Pony Stealer is a commercial credential stealer, considered

one of the more powerful stealers in the market today. As its name implies, this malicious

program steals saved credentials from various installed programs and sends them back

to a server where they are conveniently organized in a searchable web platform for easy

access. In practice, stealers are used to aid in lateral movement inside the organization.

3. A third unknown payload. This payload communicates back a list of certain discovered

processes to a Russian server. These processes of interest include virtualization

environments and security products. On the face of it, Furtim would not have installed

were these processes in place, however, this double check is done as a second

precautionary step. This third payload may very well include also the main malicious

functionality and persistence capabilities. Given its complexity, it will take a while to

completely understand that extent of its functionality. We will update its section, once

more details are revealed.

# Who’s behind this attack?

Given the defense measures that Furtim takes, we can imagine that Furtim is more than a

downloader used by common fraudsters. The threat actors behind Furtim were dedicated,

knowing that it’s worth to remain stealthy, even on the expense of hitting more targets, than

being revealed.

We do know that the C&C server is hosted at a Russian domain, which resolves to several

Ukrainian IP addresses.

Additionally, communications are con�gured to accept Russian.

With this in mind, it is easy to point a �nger at Russia. However, we cannot jump to those

conclusions as threat actors typically hide their identity by masquerading as coming from a

certain location.


-----

# Who is Furtim targeting?

This is one more question we don’t have the answer for. Nor do we know how the victim

becomes infected. We do know that this is an active malware as the server is live and kicking,

communicating with its instances.

# How can you protect yourself against

 Furtim and other such malware?

All evidence points that the threat actors behind Furtim are dedicated and will take the

necessary measures to slowly infect and remain stealthy. The dedicated threat actor has the

will and time to in�ltrate. With this in mind, we need to recognize that in�ltration is

inevitable, and address threat actors under the assumption that they already inside. This

approach requires cutting out in real-time the malicious communications so that once inside,

they cannot communicate outbound and in return, the consequences of the attack are

prevented.


### Get Technical!

 Schedule a Demo of enSilo's Exfiltration

 Prevention Platform


POST TAGS [RESEARCH](http://blog.ensilo.com/topic/research)


**Comments for this thread are now closed.** **×**


**0 Comments** **[Ensilo Blog](https://disqus.com/home/forums/ensiloblog/)** [1](https://disqus.com/home/inbox/) **Login**


 Recommend


###### ⤤ Share Sort by Best

This discussion has been closed.


###### ✉ Subscribe d Add Disqus to your site Add Disqus Add � Privacy


-----

#### Subscribe to enSilo's Blog and Stay on Top of the Latest

 Security Research and Industry News

Email*


SUBSCRIBE


#### Recent Posts

[Cyber-Security in 120 Secs: Congress Calling Out on HIPAA](http://blog.ensilo.com/cyber-security-in-120-secs-congress-calling-out-on-hipaa)

[Cyber-Security in 120 Secs: Symantec Critical Vulnerability](http://blog.ensilo.com/cyber-security-in-120-secs-symantec-critical-vulnerability)

[Cyber-Security in 120 Secs: Breach at the Clinton Foundation](http://blog.ensilo.com/cyber-security-in-120-secs-breach-at-the-clinton-foundation)

[Cyber-Security in 120 Secs: Nation State Cyber-Espionage](http://blog.ensilo.com/cyber-security-in-120-secs-nation-state-cyber-espionage-sofacy)

[Cyber-Security in 120 Secs: Cryptxxx Nearing Extinction](http://blog.ensilo.com/cyber-security-in-120-secs-cryptxxx-nearing-extinction)

[Revenge of the Nerds: enSilo Featured as Gartner’s Cool Vendor](http://blog.ensilo.com/revenge-of-the-nerds-ensilo-featured-as-gartners-cool-vendor)

[Furtim: The Ultra-Cautious Malware](http://blog.ensilo.com/furtim-the-ultra-cautious-malware)

[Cyber-Security in 120 Secs: Vulnerability in SAP](http://blog.ensilo.com/cyber-security-in-120-secs-vulnerability-in-sap)

[Cyber-Security in 120 Secs: The Feds Issue Cyber Espionage Alerts](http://blog.ensilo.com/cyber-security-in-120-secs-the-feds-issue-cyber-espionage-alerts)

[Cyber-Security in 120 Secs: Breach at Bay Area's Children's Association](http://blog.ensilo.com/cyber-security-in-120-secs-breach-at-bay-areas-childrens-association)

#### Posts by Topic

[Weekly Security News (41)](http://blog.ensilo.com/topic/weekly-security-news)

[Research (10)](http://blog.ensilo.com/topic/research)

[Industry (7)](http://blog.ensilo.com/topic/industry)

[Business (6)](http://blog.ensilo.com/topic/business)

[Windows (5)](http://blog.ensilo.com/topic/windows)

#### Archive by Month

[May 2016 (9)](http://blog.ensilo.com/archive/2016/05)

[October 2015 (7)](http://blog.ensilo.com/archive/2015/10)

[February 2016 (7)](http://blog.ensilo.com/archive/2016/02)

[December 2015 (6)](http://blog.ensilo.com/archive/2015/12)

[January 2016 (6)](http://blog.ensilo.com/archive/2016/01)

[November 2015 (5)](http://blog.ensilo.com/archive/2015/11)

[March 2016 (4)](http://blog.ensilo.com/archive/2016/03)


-----

[March 2015 (2)](http://blog.ensilo.com/archive/2015/03)

[April 2015 (2)](http://blog.ensilo.com/archive/2015/04)

[June 2015 (2)](http://blog.ensilo.com/archive/2015/06)

see all


#### Prevent threat actors from ex�ltrating your data.

 Schedule a demo.


© C O P Y R I G H T E N S I L O
####  /  /  / 


-----