In April 2016, a hyper-aware, obsessively picky, and intelligently stealthy trojan started making its way into the ether. ‘Furtim’ translates to ‘stealth’ in Latin, and aims to steal victims’ credentials. Furtim thoroughly evades not only traditional AV controls and security products, but sandbox and Virtual Machine (VM) environments as well.
Furtim’s targeted paranoia seems calculated to defy the research and security industries. It first scans the potential host machine for any sign that it is being watched or monitored. If it discovers it is being run in a test environment, or if it detects the presence of any one of over 400 security products, it immediately aborts its own installation.
By preventing or inhibiting its own execution in these simulated environments, Furtim makes typical research tasks like reverse-engineering, static and dynamic analysis, and isolated detonation exceedingly difficult. This then increases the time-to-solution; hosts are delayed in receiving signature or rule updates from their security vendors, and the malware authors triumph.
The meticulously long blacklist Furtim adheres to covers the prohibition of specific processes, DNS and other network requests aimed at security vendors, and file and script read/write operations.
Furtim’s extracted blacklist is included as an appendix table at the end of this post.
The Three Stages of Furtim
Cylance’s research team analyzed a sample of Furtim. It seems that the malware has three distinct payloads. The malware first deposits a dropper, which serves to open a backdoor on the victim’s machine in order to acquire and assist execution of future payloads or secondary binaries.
The initial payload is a low power config module which disables Hibernation or Sleep modes. This ensures that the user’s machine stays on in order to maintain the connection with Furtim’s server. Next comes a well-known credential stealer (Pony Loader) which targets sensitive personal information such as stored passwords, browser history and the credentials involved in accessing FTP file servers, which may then be used to help it move and spread within an organization. Lastly, comes a third binary, which we are still analyzing.
The victim machine must be rebooted for the infection to run to completion. At that point, it configures itself for startup persistence via the Windows registry. Additional system configuration controls are also implemented. The task manager and the command-line are made unavailable to the victim to prevent them from killing malicious processes. It also blocks users from manually rebooting or accessing a list of 250+ cybersecurity websites in search of technical help. Various logging and notification mechanisms are disabled as well such as pop-up notifications, further adding to Furtim’s cloak of secrecy.
Detection: CylancePROTECT vs. Furtim
Most AV solutions rely on frequent signature updates and thus require an online connection in order to stay effective against malware. CylancePROTECT does not rely on updates and it does not require an Internet connection in order to run, making it very effective against threats such as these. By utilizing the power of AI and machine learning to protect the user against cyberthreats, it is able to defend the user against stealth malware like Furtim - which operates by cutting off its host’s access to infosec websites, including AV vendors.
We tested our artificial intelligence based technology CylancePROTECT against a collection of Furtim samples:
Figure 1: CylancePROTECT detected and quarantined the sample Furtim binaries
Figure 2: CylancePROTECT Threats & Activities tab open to show more detail on the quarantined threat
Figure 3: CylancePROTECT dashboard showing the quarantined Furtim binaries
Our Research team has created a short video showing the effectiveness of CylancePROTECT vs. Furtim:
Indicators of Compromise (IOCs) – SHA256 Hashes
Believe the Math!