A new malware campaign targeting European energy companies has been identified by SentinelOne. The details are in a blog by Joseph Landry and Udi Shamir entitled SFG: Furtim’s Derivative.
It has described SFG as: “..the mother ship of an earlier malware sample called Furtim, which targets the industrial automation control systems with sophisticated malware and acts as dropper to deliver a payload which could be used to extract data or potentially shut down the energy grid.”
Who is responsible for this attack?
According to Udi Shamir, Chief Security Officer at SentinelOne: “The malware has all the hallmarks of a nation state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature.” This is an interesting claim. There is a general belief around the security industry that attacks of this level are always nation state.
This belief is based on risk and reward. It is easy to see what criminals gain from ransomware attacks. If criminals saw a benefit to holding an energy company hostage based on the threat then it might work for them. The risk is that it would bring them to the attention of state security services. This means that the risk is far higher than the reward and would not make sense.
There is also the issue of complexity and funding. The Dark Net shows how easy it is to bring together hackers to work on different parts of a complex problem. This is what is facing the automotive industry who are seemingly in denial over the sophistication of hacking networks. SentinelOne believes that the level of collaboration and the cost of development to be much greater than could be done by groups of hackers.
Code reuse also points to nation state
Shamir goes on to say: “It appears to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted. Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group.”
There are other elements in the code that reinforce the SentinelOne view of a nation state attack. For example the use of Rootkits used in previous nation state attacks.
Detecting physical and software security
This code runs across all versions of Microsoft Windows. It detects not just antivirus solutions but some of the latest techniques for stopping attacks. It detects the use of sandboxing and avoids those machines. Interestingly the blog says that the malware looks for a specific vendors biometric software and stops there.
SFG actively looks for biometric systems used by access control system vendor ZKTeco. They use facial recognition, fingerprint scanners and RFID to protect their workstations. It will terminate if it detects any of these. According to the blog this is because: “These systems would be heavily scrutinized by their administrators, and an infection on one of these machines would likely not go unnoticed.”
SFG infection includes the use of proven exploits
SFG takes advantage of two known exploits CVE-2014-4113 and CVE-2015-1701. These provide local privilege escalation. It also uses one UAC bypass. Altogether these enable SFG to gain administrator privileges. Not only does this make it easier for SFG to install itself on the target machine but it also adds the user into the local administrator account. This makes ongoing management of the malware easier.
Having established control on the local computer SFG writes itself to disk, hiding in an NTFS Alternate Data Stream (ADS). This makes SFG impossible to see with normal file browsers and ensures it runs every time the machine is booted-up. To prevent the anti-virus programs from detecting it, SFG also removes filter drivers that monitor network traffic. These are used to detect communication with C&C servers making it easier to detect malware infections.
Installation itself early in the boot process enables SFG to remove the anti-virus software installed on the local machine. This does raise some questions. It is not clear how it then fools enterprise software designed to deploy and manage AV installation. Does it leave the files behind but limit their functionality? Would greater attention to the management software make it possible to spot the infection?
Defeating the security analyst
The blog calls out a number of techniques used by SFG to defeat security analysts. This includes spotting the use of sandboxes by running CPUID, hostnames and filename checks. SFG also looks for other indicators that show the presence of anti-virus software and sandboxes. Detection of any of them leads to SFG terminating its attack early.
The sophistication of this attack extends further. It looks at kernel drivers and compares them to its own blacklist. Depending on what it finds it will either terminate or implement additional evasion techniques. This is indicative of an attack that is not only evolving but is learning constantly. It will enable it to stay up to date with new discovery techniques and improve its ability to hide.
Conclusion
This is a very sophisticated malware. Its ability to detect and evade security software and tools used by analysts makes it a highly dangerous threat. Using multiple evasion techniques, SFG is able to evolve over time. It is only attacking one, as yet unnamed, European energy company. There is no reason to believe it is not targeting other energy companies or other national critical infrastructure.
SentinelOne believe that this is an Eastern European attack. It is likely to be part of the increased wave of cyberattacks as a part of the Russia/Ukraine conflict.
