A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28553  by tr0jan
 Mon May 23, 2016 5:28 am
hehehe..
Marketing write-ups.. not really technical..purpose.. so many like this
 #28817  by sadfud
 Wed Jul 06, 2016 3:45 am
Hi
someone can share the binary of this malware please? Thanks
 #28865  by EP_X0FF
 Tue Jul 12, 2016 3:43 pm
SentinelOne (pseudo-security firm) strikes back -> https://sentinelone.com/blogs/sfg-furtims-parent/

Favorite quotes:

Nation state sponsored
Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe.
Nation state rootkits, probably from fuckav.ru/wasm.ru
It exhibits traits seen in previous nation-state Rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources.
Use a low level sophisticated stuff.
Use of low-level API (Nt* and Rtl*) and direct system calls (INT 2Eh and CALL ntdll!KiFastSystemCall)

were used to bypass user-space hooks used by antivirus software and sandboxes. This also demonstrates the expertise of the author.
Education stuff, yes we are in 2016.
To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and also reverse-engineered portions of the Windows operating system.
Nope you don't.

Sophistication never seen in typical malware
Although RC4 isn’t an esoteric stream cipher, the decision by the author to use such a cipher shows a level of sophistication not seen in typical crimeware.
What?

TL;DR
Nice groupping of anti-detection stuff of the Furtim, nothing more.
 #28867  by EP_X0FF
 Tue Jul 12, 2016 6:41 pm
Sample of this "nation-state-sponsored" malware attached. Also attached ActionQueue.dll - uac bypass dll this malware uses.
You do not have the required permissions to view the files attached to this post.
 #28875  by EP_X0FF
 Wed Jul 13, 2016 9:35 am
Oh, thats how they found it. By downloading it from here.
Image