Win32/Furtim

Forum for analysis and discussion about malware.
User avatar
R136a1
Forum Admin
Posts: 231
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Wed Apr 27, 2016 10:30 am

The C&C server of the first sample exposes over 1 GB of victim's data due to misconfigured directory listing. Internet service provider was informed.
User avatar
EP_X0FF
Global Moderator
Posts: 4888
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Wed May 18, 2016 6:09 pm

http://blog.ensilo.com/furtim-the-ultra ... us-malware

several mistakes in article present ("driver" for example).
Ring0 - the source of inspiration
tr0jan
Posts: 8
Joined: Thu Jul 21, 2011 7:10 am

Mon May 23, 2016 5:28 am

hehehe..
Marketing write-ups.. not really technical..purpose.. so many like this
User avatar
R136a1
Forum Admin
Posts: 231
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Mon May 23, 2016 3:17 pm

Some victim statistics and a bit of promotion for my new blog: http://www.malware-reversing.com/2016/0 ... urtim.html :)
sadfud
Posts: 2
Joined: Wed Jun 01, 2016 5:12 pm

Wed Jul 06, 2016 3:45 am

Hi
someone can share the binary of this malware please? Thanks
User avatar
EP_X0FF
Global Moderator
Posts: 4888
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Tue Jul 12, 2016 3:43 pm

SentinelOne (pseudo-security firm) strikes back -> https://sentinelone.com/blogs/sfg-furtims-parent/

Favorite quotes:

Nation state sponsored
Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe.
Nation state rootkits, probably from fuckav.ru/wasm.ru
It exhibits traits seen in previous nation-state Rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources.
Use a low level sophisticated stuff.
Use of low-level API (Nt* and Rtl*) and direct system calls (INT 2Eh and CALL ntdll!KiFastSystemCall)

were used to bypass user-space hooks used by antivirus software and sandboxes. This also demonstrates the expertise of the author.
Education stuff, yes we are in 2016.
To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and also reverse-engineered portions of the Windows operating system.
Nope you don't.

Sophistication never seen in typical malware
Although RC4 isn’t an esoteric stream cipher, the decision by the author to use such a cipher shows a level of sophistication not seen in typical crimeware.
What?

TL;DR
Nice groupping of anti-detection stuff of the Furtim, nothing more.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
Posts: 4888
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Tue Jul 12, 2016 6:41 pm

Sample of this "nation-state-sponsored" malware attached. Also attached ActionQueue.dll - uac bypass dll this malware uses.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
Snakebyte
Posts: 12
Joined: Tue Oct 07, 2014 9:33 am

Wed Jul 13, 2016 9:10 am

Didn't know this forum is part of the "darkweb":
https://motherboard.vice.com/read/resea ... -web-forum
User avatar
EP_X0FF
Global Moderator
Posts: 4888
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Wed Jul 13, 2016 9:35 am

Oh, thats how they found it. By downloading it from here.
Image
Ring0 - the source of inspiration
Post Reply