Latest Malware Threat Stealthily Flees from Security Products

The future of malware has made its unwelcome grand entrance…and it’s a doozy. Dubbed “Furtim” (Latin for stealthy), this malware outwits the most sophisticated security with a series of checks to detect more than 400 antivirus platforms. If Furtim finds any security product on that list—from the well-known to the obscure—or any virtualized or sandboxed environment, it will stop installation to evade discovery. And that’s just a snippet of Furtim’s capabilities.

The malware also blocks access to 250 security-related websites; makes configuration changes to prevent victims from accessing basic computer functions; implements a power tool to ensure the computer never sleeps; and avoids DNS filtering by scanning the network interfaces before it takes hold. When it infects a machine, it does so in a way to protect its identity by sending payload information just once. Furtim has puzzled investigators. There are no concrete leads as to who is behind this malware—one scant clue is that the virus phones home to servers based in Ukraine.

This Latest Malware Threat May Be Just the Tip of the Iceberg

Furtim is proof the cyber underworld has upped the ante in its pursuit of victims. It is that clear Furtim’s malware authors were most concerned about avoiding detection. This kind of malware could not have been more specifically built to prevent security researchers from finding the virus in the wild. Had it continued to evade detection, it would have kept researchers from reverse-engineering the program, writing a signature for it, and publishing it to antivirus platforms to stop it from spreading.

Here’s the really worrying thing, however—publishing a signature for Furtim is not going to stop it. First of all, it’s easy enough to change malware so that no signature-based security solution will recognize that it exists. Second of all, Furtim is specifically designed to find computers that are running zero protections of any kind. It’s going after users that are so minimally security-conscious that they are almost guaranteed never to know that they’ve been infected. Third of all, other malware authors are very likely to take their cues from this stealthy new approach. Furtim may be just one aspect of a wave of new malware that takes advantage of the lowest common denominator in security awareness.

Could Furtim Threaten the Enterprise?

Why should security professionals worry about Furtim? We know that it’s very unlikely that Furtim would be able to get a toehold in an enterprise network, because even the least security-conscious enterprise is still likely to invest in basic endpoint protection. Let’s say that one of your users has a home computer that they run without any kind of AV, however. That computer is a Furtim target, and since Furtim steals credentials, your latest malware problem could quickly turn into an insider threat.

Alternatively, let’s say that you don’t run continuous monitoring on all of your endpoints. You might miss infections such as Furtim in between scans, allowing the latest malware to execute and deliver its payload of credentials during the interval.

In order to defeat advanced malware like Furtim, you need a cutting-edge offering that examines a piece of code or program not by searching for known malware signatures, but taking a holistic view of its actions, both legitimate and malicious, to look for unusual system behavior. SentinelOne Endpoint Protection Platform and Critical Server Protection Platform seamlessly combines prevention, detection, mitigation, remediation and real-time forensics to protect your endpoint and server assets, regardless of the threat or attack vector used. For more on how our intuitive, behavioral approach can defend against malware like Furtim, download our technical whitepaper today.