Security researchers at SentinelOne uncovered Furtim’s Parent malware, which bears some similarity to Stuxnet.
Security firm SentinelOne on July 12 published new research on a malware variant that is taking aim at energy companies.
The malware, dubbed Furtim’s Parent by SentinelOne, is related to a malware strain previous identified as Furtim, which means stealth in Latin.”We have found and analyzed the sample that prepares the system to run Furtim,” Joseph Landry, senior security researcher at SentinelOne, told eWEEK.Previous coverage of Furtim by other security firms only examined one component of the malware, Landry said. What other security firms call Furtim will not actually run on a system when the .exe file is clicked as it is a Windows native application, he added.Among the security firms that have previously published research on Furtim is Cylance, which detailed its findings in May.
The Furtim malware is programmed to run only during specific times of the Windows boot process.
SentinelOne used its own threat intelligence system to find Furtim’s Parent. Landry said that it was retrieved from two different sources, one from SentinelOne’s agent sensor and the other from a private forum.”We don’t have exact numbers on the infection magnitude, but this sample was developed for more targeted attacks, rather than high infection volume,” Landry said. “This sample seems to target large enterprise organizations, and has probably already infected a few.”Attacks against energy companies and infrastructure are not a new phenomenon. Malware known as BlackEnergy, for example, was identified earlier this year as being directly responsible for a December 2015 power outage in the Ukraine.BlackEnergy is used to perform distributed denial-of-service (DDoS) attacks, among other things, Landry said. “These attacks are very loud and would not go unnoticed.
This sample [Furtim’s Parent] looks like it was never supposed to be found.”Furtim’s Parent is similar to Stuxnet, which was used in an attack against an Iranian nuclear facility in 2010.In fact, Landry said, Furtim’s Parent is so similar to Stuxnet that it’s almost as if Stuxnet inspired Furtim’s Parent creation.”It’s clear that someone with a lot of funding and professionalism wrote this malware, as it targeted both hardware, software, and the code is very dense and very technical, as opposed to the majority of the samples we see daily,” Landry said.Reminiscent of Stuxnet, Furtim’s Parent uses multiple anti-sandbox and anti-virtual machine techniques.
Additionally, Furtim’s Parent is able to bypass a dozen different antivirus engines using a multi-stage attack. Landry noted that he has seen anti-debugging and anti-virtual machine capabilities in malware before, but unlike Furtim’s Parent sample, there are usually one or two checks. “The large amount of tests included in this sample is to ensure that it will not run even on a hardened sandbox that has been configured to look more like a physical machine than a virtual machine,” Landry said.Although Furtim’s Parent is an advanced form of malware, there are no zero-day exploits in the sample, Landry said. Rather, there are the two known exploits (CVE-2014-4113, a Windows Kernel Mode vulnerability, and CVE-2015-1701, a privilege escalation flaw) plus one known user-account control (UAC) bypass technique. While Furtim’s Parent only uses known exploits, even a fully patched machine can be infected, Landry said. “When the exploits are not run because a system is fully patched, the sample will fall back to a UAC popup, and if the user clicks ‘yes,’ the malware will be run as administrator,” Landry explained. “If the user account running the sample is not an administrator, the UAC popup will also ask for the administrator password.
If the user doesn’t know the administrator password, the sample will not run.”Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.
Follow him on Twitter @TechJournalist.