Light Dark
May 19, 2016 By Larry Loeb 2 min read

Breaking Malware recently published an analysis of a new malware called Furtim. Its name is derived from the Latin term for stealthy — and that’s exactly how it acts.

Furtim attacks Windows machines. It won’t install itself if it identifies any one of an extensive list of security products present or if it finds itself in a sandbox or virtualized environment, according to the analysis. That’s a behavior pattern that has never been seen in malware. This reticence to install itself may be why it was not detected by any of the 56 antivirus programs surveyed by VirusTotal.

More About the Malware

Furtim is deployed as a binary file named native.dll; this is a driver meant to be loaded by the kernel. Although the analyzed sample came unpacked, it did show protection mechanisms. Breaking Malware postulated that it came unpacked because driver packers are a lot less common than regular executable packers.

The security programs it searches for include the well-known ones as well as products that are comparatively rare. If any of these programs or found — or even a trace of them sniffed — Furtim stops dead.

Furtim Goes to Town

Once it feels safe, the malware reads an encrypted, hard-coded part of itself, decrypts it and then writes it to the disk. This is added to the registry’s RunOnce key.

It runs and immediately changes the registry’s policies key values. This blocks the user from accessing the command line and task manager. It then collects unique information about the machine, such as the computer name and Windows installation date. It encrypts this information and sends it to a Russian server, SecurityWeek summarized.

The next step involves three binaries downloaded by the executable, according to the analysis. The first binary keeps the machine on constantly by changing the power settings; the second steals saved passwords and credentials from the installed programs and sends them back to a server; and a third downloaded binary has yet to be fully understood.

Once installed, it will gather some passwords but not much else; it’s a lot of work for little reward.

What’s Going on Here?

The exact purpose of Furtim remains unknown, but it takes extreme precautions to avoid detection. It may be a proof of concept for an installer that is related to some other malware that has yet to be deployed.

This malware is not done evolving. Vigilance will be needed to detect and understand it and its successors.

 |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

January 13, 2025

How CTEM is providing better cybersecurity resilience for organizations

4 min read - Organizations today continuously face a number of fast-moving cyber threats that regularly challenge the effectiveness of their cybersecurity defenses. However, to keep pace, businesses need a proactive and adaptive approach to their security planning and execution.Cyber threat exposure management (CTEM) is an effective way to achieve this goal. It provides organizations with a reliable framework for identifying, assessing and mitigating new cyber risks as they materialize.The importance of developing cybersecurity resilienceRegardless of the industry, all organizations are subject to certain…

January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

January 10, 2025

Is the water safe? The state of critical infrastructure cybersecurity

4 min read - On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature