Paranoid Furtim Malware Checks for 400 Security Products Before Execution

Malware most likely used in cyber-espionage campaigns. A security researcher that goes online only by the nickname of FireFOX (@hFireF0X) has discovered a unique malware family that pays a lot of attention to remaining undetected, and not to having great features or efficient data exfiltration procedures.

Security firm enSilo took a closer look at his discovery and named the malware Furtim, the Latin word for “stealthy” and tracked down some of its command & control servers to a Russian domain, which resolves back to a Ukrainian IP.

At the time of his analysis, despite managing to break down a large part of Furtim’s mode of operation, enSilo didn’t manage to discover how crooks are spreading the malware, how it gains an initial foothold on the infected devices, or what kind of targets it is seeking.

Furtim, a.k.a. “the paranoid malware”

enSilo also noted something different about Furtim that he didn’t see in other types of malware. Furtim paid a lot of attention, actually more than it should, to avoiding getting detected by security products.

During its installation, the malware would check for the presence of virtualized or sandboxed environments, tools which security researchers use for malware debugging.

Additionally, Furtim also includes filters for over 400 security products. If it finds at least one of these installed on the PC, Furtim aborts the installation.

After it has set up itself, the malware blocks DNS filtering services by replacing DNS servers with public IPs provided by Google and Level3 Communications, and also blocks users from accessing nearly 250 websites from the infosec domain.

Furtim is really, really, really paranoid

But the self-defense mechanism doesn’t stop here, though, because Furtim also disables the Windows notification and pop-up mechanisms, and his access to the command line and the Task Manager.

After Furtim feels comfortable within its infected environment, it collects data from the infected device and sends it to the server.

The server uses this data to identify between its targets and also deliver the final payloads since Furtim is only a malware downloader, a stepping stone for more dangerous threats.

enSilo noticed that the server sent the malware payloads only once to each target, a tactic also employed to make reverse engineering by security researchers much harder.

Furtim delivers the Pony infostealer and another unknown payload

The final payload is actually made up of three files. The first is a power configuration file for the infected computer that removes sleep mode and hibernation settings.


The second is the Pony infostealer, malware specialized in stealing all kinds of sensitive data, from FTP and email client credentials to browser history and stored passwords.

The third and final payload is currently unknown, enSilo saying he wasn’t able to crack it.

“We do know that a third binary is downloaded. It is identified as generic by certain AVs, possibly due to the fact that it is packed. We have yet to analyze it to completely understand what it does,” BreakingMalware also wrote today. “We do know though, that it communicates back a list of certain discovered processes to another Russian server.”

With all these data exfiltration features and focus on stealth, Furtim sure looks like the spawn of a cyber-espionage group, even if FireFOX, BreakingMalware or enSilo didn’t say so.



About webimprint

Webimprints is the leading company which provides global information security services to the client around the World.
This entry was posted in Cyber Security, Malware and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s