Win32/Furtim

Forum for analysis and discussion about malware.
User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Malware with heavy virtual machine and sandbox detection

Post by R136a1 » Wed Apr 27, 2016 10:30 am

The C&C server of the first sample exposes over 1 GB of victim's data due to misconfigured directory listing. Internet service provider was informed.

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Furtim

Post by EP_X0FF » Wed May 18, 2016 6:09 pm

http://blog.ensilo.com/furtim-the-ultra ... us-malware

several mistakes in article present ("driver" for example).
Ring0 - the source of inspiration

tr0jan
Posts: 8
Joined: Thu Jul 21, 2011 7:10 am

Re: Win32/Furtim

Post by tr0jan » Mon May 23, 2016 5:28 am

hehehe..
Marketing write-ups.. not really technical..purpose.. so many like this

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Win32/Furtim

Post by R136a1 » Mon May 23, 2016 3:17 pm

Some victim statistics and a bit of promotion for my new blog: http://www.malware-reversing.com/2016/0 ... urtim.html :)

sadfud
Posts: 2
Joined: Wed Jun 01, 2016 5:12 pm

Re: Win32/Furtim

Post by sadfud » Wed Jul 06, 2016 3:45 am

Hi
someone can share the binary of this malware please? Thanks

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Furtim

Post by EP_X0FF » Tue Jul 12, 2016 3:43 pm

SentinelOne (pseudo-security firm) strikes back -> https://sentinelone.com/blogs/sfg-furtims-parent/

Favorite quotes:

Nation state sponsored
Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe.
Nation state rootkits, probably from fuckav.ru/wasm.ru
It exhibits traits seen in previous nation-state Rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources.
Use a low level sophisticated stuff.
Use of low-level API (Nt* and Rtl*) and direct system calls (INT 2Eh and CALL ntdll!KiFastSystemCall)

were used to bypass user-space hooks used by antivirus software and sandboxes. This also demonstrates the expertise of the author.
Education stuff, yes we are in 2016.
To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and also reverse-engineered portions of the Windows operating system.
Nope you don't.

Sophistication never seen in typical malware
Although RC4 isn’t an esoteric stream cipher, the decision by the author to use such a cipher shows a level of sophistication not seen in typical crimeware.
What?

TL;DR
Nice groupping of anti-detection stuff of the Furtim, nothing more.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Furtim

Post by EP_X0FF » Tue Jul 12, 2016 6:41 pm

Sample of this "nation-state-sponsored" malware attached. Also attached ActionQueue.dll - uac bypass dll this malware uses.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
Snakebyte
Posts: 12
Joined: Tue Oct 07, 2014 9:33 am

Re: Win32/Furtim

Post by Snakebyte » Wed Jul 13, 2016 9:10 am

Didn't know this forum is part of the "darkweb":
https://motherboard.vice.com/read/resea ... -web-forum

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Furtim

Post by EP_X0FF » Wed Jul 13, 2016 9:35 am

Oh, thats how they found it. By downloading it from here.
Image
Ring0 - the source of inspiration

badfrog
Posts: 1
Joined: Tue Mar 15, 2016 9:50 pm

Re: Win32/Furtim

Post by badfrog » Mon Jul 18, 2016 7:07 pm


Post Reply