May 19, 2016 By Larry Loeb 2 min read

Breaking Malware recently published an analysis of a new malware called Furtim. Its name is derived from the Latin term for stealthy — and that’s exactly how it acts.

Furtim attacks Windows machines. It won’t install itself if it identifies any one of an extensive list of security products present or if it finds itself in a sandbox or virtualized environment, according to the analysis. That’s a behavior pattern that has never been seen in malware. This reticence to install itself may be why it was not detected by any of the 56 antivirus programs surveyed by VirusTotal.

More About the Malware

Furtim is deployed as a binary file named native.dll; this is a driver meant to be loaded by the kernel. Although the analyzed sample came unpacked, it did show protection mechanisms. Breaking Malware postulated that it came unpacked because driver packers are a lot less common than regular executable packers.

The security programs it searches for include the well-known ones as well as products that are comparatively rare. If any of these programs or found — or even a trace of them sniffed — Furtim stops dead.

Furtim Goes to Town

Once it feels safe, the malware reads an encrypted, hard-coded part of itself, decrypts it and then writes it to the disk. This is added to the registry’s RunOnce key.

It runs and immediately changes the registry’s policies key values. This blocks the user from accessing the command line and task manager. It then collects unique information about the machine, such as the computer name and Windows installation date. It encrypts this information and sends it to a Russian server, SecurityWeek summarized.

The next step involves three binaries downloaded by the executable, according to the analysis. The first binary keeps the machine on constantly by changing the power settings; the second steals saved passwords and credentials from the installed programs and sends them back to a server; and a third downloaded binary has yet to be fully understood.

Once installed, it will gather some passwords but not much else; it’s a lot of work for little reward.

What’s Going on Here?

The exact purpose of Furtim remains unknown, but it takes extreme precautions to avoid detection. It may be a proof of concept for an installer that is related to some other malware that has yet to be deployed.

This malware is not done evolving. Vigilance will be needed to detect and understand it and its successors.

More from

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

How red teaming helps safeguard the infrastructure behind AI models

4 min read - Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from the ad-hoc nature of many implementations, where organizations lack a clear strategy for responsible AI use.Attack surfaces aren’t just expanding due to risks and vulnerabilities in AI models themselves but also in the underlying infrastructure that supports them. Many foundation…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today