Malware Targeting Energy Companies

Uploaded on 2016-07-19 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Production-Energy


Security researchers have discovered a new malware threat that goes to great lengths to remain undetected while targeting energy companies.

The malware program, which researchers from security firm SentinelOne have dubbed Furtim’s Parent, is a so-called dropper -- a program designed to download and install additional malware components and tools. The researchers believe it was released in May and was created by state-sponsored attackers.

The goal of droppers is to prepare the field for the installation of other malware components that can perform specialized tasks. Their priority is to remain undetected, gain privileged access, and disable existing protections. These are all tasks that Furtim’s Parent does well.

When it's first executed on a system, the malware tests the environment for virtual machines, sandboxes, antivirus programs, firewalls, tools used by malware analysts, and even biometrics software.

The tests are extensive. They involve checking against blacklists of CPU IDs, hostnames, file names, DLL libraries, directories, CPU core info, kernel drivers, running processes, hard disk vendor information, network cards, MAC addresses, and BIOS information -- artifacts left by known virtualization and security applications.

In some cases, if such software is detected the malware will terminate itself. In others, it will continue to run, but will limit its functionality and in the case of antivirus programs, it will try to disable them.

The depth and complexity of these tests suggest that the malware's creators have a good understanding of Windows and security products. This led researchers to believe Furtim's Parent is the work of multiple developers with high-level skills and access to considerable resources.

The malware doesn't install itself a regular file on disk, but as an NTFS alternative data stream (ADS). It starts early in the computer boot-up process and calls low-level undocumented Windows APIs in order to bypass the behavioral detection routines used by security products.

"The use of indirect subroutine calls make manual static analysis nearly impossible, and manual dynamic analysis painful and slow," the SentinelOne researchers said in a blog post recently. "The author took special care to keep this sample undetected for as long as possible."

The malware uses two Windows privilege escalation exploits, one patched by Microsoft in 2014 and one in 2015, as well as a known user account control (UAC) bypass technique to obtain administrator privileges. If this access is obtained, it adds the current user to the Administrators group to avoid running under a different account and raising suspicion.

Once it's installed, the malware silently disables the protection layers of several antivirus products and hijacks the system's DNS settings to prevent access to specific antivirus update servers. This ensures that the ground is set for the download and execution of its payloads.

One payload observed by the SentinelOne researchers was used to gather information from infected systems and to send it back to a command-and-control server. This was most likely a reconnaissance tool, but the dropper could also be used to download components designed to extract sensitive data or to perform destructive actions.

Energy production and distribution companies are an attractive target for state-sponsored cyber-attackers because their systems can potentially be used to cause physical damage. This is what happened in December in Ukraine, when hackers used malware to break into utilities and cause large-scale blackouts.

CSO

 

« A Strategic Company: The Internet of Things & How ARM Fits In
Healthcare CISOs Find Security Vendors Overpromising »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Acumin Recruitment

Acumin Recruitment

Acumin is an internationally established Cyber Security recruitment specialist.

ASU Online - Information Technology Program

ASU Online - Information Technology Program

The Information Technology program at ASU Online provides you with the expertise to design, select, implement and administer computer-based information solutions.

Syhunt Security

Syhunt Security

Syhunt is a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe.

Atempo

Atempo

Atempo is a leading independent European-based software vendor with a global presence. We provide solutions to protect, store, move and recover all your data.

Digital Innovation Hub Slovenia (DIH)

Digital Innovation Hub Slovenia (DIH)

DIH Slovenia is a central hub providing services to grow digital competencies in areas including robotics, IoT, cyberphysical systems and cybersecurity.

Inseego

Inseego

Inseego provides Enterprise SaaS solutions and IoT & Mobile solutions, which together form the backbone of intelligent, reliable and secure IoT services with deep business intelligence.

TeskaLabs

TeskaLabs

TeskaLabs is a software vendor of cybersecurity and data privacy products.

Digi International

Digi International

Digi is a leading global provider of mission-critical and business-critical machine-to-machine (M2M) and Internet of Things (IoT) connectivity products and services.

ClubCISO

ClubCISO

ClubCISO is a community of peers, working together to help shape the future of the information security profession by facilitating independent discussion on data security and cyber resilience.

Trusted Technologies and Solutions (TTS)

Trusted Technologies and Solutions (TTS)

TTS is a security consulting company specialised on business continuity and crisis management, information security management, information risk management and identity and access management.

BIRD Cyber

BIRD Cyber

BIRD Cyber is a program to promote collaboration on cybersecurity and emerging technologies aimed at enhancing the cyber resilience of critical infrastructure.

NetGain Technologies

NetGain Technologies

NetGain Technologies helps small to medium-sized businesses gain access to expert IT talent. We provide strategies that use technology as a driving force behind business growth.

Guardey

Guardey

Guardey protects thousands of SME's environments. Whether your team works at the office, at home, at the customer or remotely. We protect your business. We do this in an accessible and affordable way.

Bitdefender

Bitdefender

Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide.

Technoware Solutions

Technoware Solutions

Technoware Solutions is a global company committed to helping entities navigate the digital waters of modernizing their system processes in an ever changing cybersecurity landscape.

Qodea

Qodea

Qodea (formerly Appsbroker CTS) is Europe's largest Google Premier only transformation partner.