Page 2 of 3

Re: Malware with heavy virtual machine and sandbox detection

PostPosted:Wed Apr 27, 2016 10:30 am
by R136a1
The C&C server of the first sample exposes over 1 GB of victim's data due to misconfigured directory listing. Internet service provider was informed.

Re: Win32/Furtim

PostPosted:Wed May 18, 2016 6:09 pm
by EP_X0FF
http://blog.ensilo.com/furtim-the-ultra ... us-malware

several mistakes in article present ("driver" for example).

Re: Win32/Furtim

PostPosted:Mon May 23, 2016 5:28 am
by tr0jan
hehehe..
Marketing write-ups.. not really technical..purpose.. so many like this

Re: Win32/Furtim

PostPosted:Mon May 23, 2016 3:17 pm
by R136a1
Some victim statistics and a bit of promotion for my new blog: http://www.malware-reversing.com/2016/0 ... urtim.html :)

Re: Win32/Furtim

PostPosted:Wed Jul 06, 2016 3:45 am
by sadfud
Hi
someone can share the binary of this malware please? Thanks

Re: Win32/Furtim

PostPosted:Tue Jul 12, 2016 3:43 pm
by EP_X0FF
SentinelOne (pseudo-security firm) strikes back -> https://sentinelone.com/blogs/sfg-furtims-parent/

Favorite quotes:

Nation state sponsored
Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe.
Nation state rootkits, probably from fuckav.ru/wasm.ru
It exhibits traits seen in previous nation-state Rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources.
Use a low level sophisticated stuff.
Use of low-level API (Nt* and Rtl*) and direct system calls (INT 2Eh and CALL ntdll!KiFastSystemCall)

were used to bypass user-space hooks used by antivirus software and sandboxes. This also demonstrates the expertise of the author.
Education stuff, yes we are in 2016.
To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and also reverse-engineered portions of the Windows operating system.
Nope you don't.

Sophistication never seen in typical malware
Although RC4 isn’t an esoteric stream cipher, the decision by the author to use such a cipher shows a level of sophistication not seen in typical crimeware.
What?

TL;DR
Nice groupping of anti-detection stuff of the Furtim, nothing more.

Re: Win32/Furtim

PostPosted:Tue Jul 12, 2016 6:41 pm
by EP_X0FF
Sample of this "nation-state-sponsored" malware attached. Also attached ActionQueue.dll - uac bypass dll this malware uses.

Re: Win32/Furtim

PostPosted:Wed Jul 13, 2016 9:10 am
by Snakebyte
Didn't know this forum is part of the "darkweb":
https://motherboard.vice.com/read/resea ... -web-forum

Re: Win32/Furtim

PostPosted:Wed Jul 13, 2016 9:35 am
by EP_X0FF
Oh, thats how they found it. By downloading it from here.
Image

Re: Win32/Furtim

PostPosted:Mon Jul 18, 2016 7:07 pm
by badfrog