Breaking Malware recently published an analysis of a new malware called Furtim. Its name is derived from the Latin term for stealthy — and that’s exactly how it acts.

Furtim attacks Windows machines. It won’t install itself if it identifies any one of an extensive list of security products present or if it finds itself in a sandbox or virtualized environment, according to the analysis. That’s a behavior pattern that has never been seen in malware. This reticence to install itself may be why it was not detected by any of the 56 antivirus programs surveyed by VirusTotal.

More About the Malware

Furtim is deployed as a binary file named native.dll; this is a driver meant to be loaded by the kernel. Although the analyzed sample came unpacked, it did show protection mechanisms. Breaking Malware postulated that it came unpacked because driver packers are a lot less common than regular executable packers.

The security programs it searches for include the well-known ones as well as products that are comparatively rare. If any of these programs or found — or even a trace of them sniffed — Furtim stops dead.

Furtim Goes to Town

Once it feels safe, the malware reads an encrypted, hard-coded part of itself, decrypts it and then writes it to the disk. This is added to the registry’s RunOnce key.

It runs and immediately changes the registry’s policies key values. This blocks the user from accessing the command line and task manager. It then collects unique information about the machine, such as the computer name and Windows installation date. It encrypts this information and sends it to a Russian server, SecurityWeek summarized.

The next step involves three binaries downloaded by the executable, according to the analysis. The first binary keeps the machine on constantly by changing the power settings; the second steals saved passwords and credentials from the installed programs and sends them back to a server; and a third downloaded binary has yet to be fully understood.

Once installed, it will gather some passwords but not much else; it’s a lot of work for little reward.

What’s Going on Here?

The exact purpose of Furtim remains unknown, but it takes extreme precautions to avoid detection. It may be a proof of concept for an installer that is related to some other malware that has yet to be deployed.

This malware is not done evolving. Vigilance will be needed to detect and understand it and its successors.

More from

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…