Brief : Furtim, a very carreful malware

Discovered by a certain « hFireF0X » and dubbed « Furtim » by EnSilo’s security experts, this new malware takes many precautions to go unnoticed on the infected machine.

Very sophisticated, Furtim is composed of:

• A driver that scan in deep the workstation of the victim,
• A download module allowing to retrieve on Internet different modules to install them,
• Three payloads which are:
  • A power manager allowing the configuration of the standby mode. The goal is to let the workstation on standby in order to communicate with the command and control server.
  • A data thief called « Pony Stealer » allowing to obtain credentials and sensitive information,
  • A server communication module.

The Furtim’s procedure is also unique because it’s able to analyze its environment before to start.

First of all, it begins to scan the infected machine to detect the presence of security solutions thanks to 400 filters. In case of positive detection, Furtim stops its installation.

In a second time, it scans the network to find DNS filtering tools to deny  access to specialized security website. It also disables all Windows notifications, popups, access to the command line and the task manager.

Finally when it succeeds to install itself, the malware runs payloads listed above.

According to EnSilo experts, this malware seems to be the work of hackers from Eastern Europe. It would be used to introduce new threats on infected computers without being detected to conduct attacks. By the way, EnSilo has not discovered how the malware spreads in the wild and how it infects machines.