Tags: Furtim, malware, SFG
Same Network Leveraged by Carberp, Pony and More
This month, reports surfaced of a sophisticated malware threat found on computers of a European power generation and distribution company. The malware was dubbed “SFG” and the reports linked it to a malware strain named “Furtim” by the security researchers who first recognized and analyzed it in May 2016. Soon, the press was calling this “SCADA malware” and reports implied that a “nation-state” was using it to target the electric grid.
The facts are:
- SFG is just another Furtim build
- There is no code specific to attacking ICS or SCADA systems
- It uses known financially-incentivized cybercriminal infrastructure
The good news is that the world’s electric grids are no more at risk from Furtim/SFG than any other backdoor infection. Or is that the bad news?
The malware is not indiscriminate. It takes a “kitchen sink” approach to all known methods of detecting sandbox, honeypot, and analysis environments and uses countertactics to avoid detection. None of the detection tactics are novel. They are cobbled together from other malware code dating back years, but the coverage of these tactics is the most comprehensive seen in any malware strain to date.
So what’s new?
Some of the countertactics, such as the disabling and enabling of certain Group Policy settings, are novel. It really strives to ensure that all host-based security controls are disabled, exploiting two known/patched vulnerabilities to escalate privileges. Once shields are down and the machine totally pwn3d, it is free to download any secondary payloads. It appears that the operators have been so confident in their primary payload’s evasion tactics that secondary payloads are sometimes not even packed (“crypted” or “FUDed”).
A researcher going by the handle “@hFireF0X” recognized the first Furtim sample, and after some discussion on the KernelMode.info forum, an analysis was documented on public malware intelligence outlets operated by enSilo on May 16, 2016. Not much attention was paid to it until the analysis of a variant was analyzed by researchers as SentinelOne. Those findings were published on July 12, 2016, and picked up by the press. This is where the implications began, that nation-state actors must be behind it and that it was specifically targeting electric utilities and SCADA systems that compose “The Grid”.
An IDS rule was proposed by one researcher, but it only catches the SFG version of the secondary payload as detailed by SentinelOne. In truth, network-based IOCs (indicators of compromise), especially network touchpoints like IPv4 addresses and FQDNs (fully-qualified domain names), were hard to come by.
The IDS rule focused on the bot component, known as “Pony Stealer”. It will likely only catch the exact build referenced in the SentinelOne “SFG” analysis as the Windows GUI mode PE executable “rdpinst.exe”. The dropped Pony Stealer in that case has an MD5 of 4598af84ee2dbd88d3fff0b60aba829a412dfbe3 (ignore the leading ‘1’ in the original write-up, since it’s a typo).
The Pony Stealer builder has different choices of User-Agent string values — among other things like Accept-Encoding and Accept-Language header values — for each time the binary is built.
The IDS rule will miss the rdpinst.exe from the KernelMode/enSilo “Furtim” case (MD5: e392981fae25554f50fec1c823c454c5), where the string literal for the request, including format characters is:
POST %s HTTP/1.1
Accept-Encoding: identity, *;q=0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
When it comes to known network touchpoints like domain names, IP addresses, and the like, everyone has been very guarded, with the SentinelOne report showing only the HTTP conversation content (no IP addresses or DNS lookups), and the original enSilo report teasing, “We do know that the C&C server is hosted at a Russian domain, which resolves to several Ukrainian IP addresses.”
After some digging based on filename patterns and the “Host: nullptr” IOC, I found that both of these are related to, but not the same as, the rdpinst.exe sample identified with the SHA-256 hash 59a44da02321bc0a1412ced073a08825938fcc2393b9b8bfa39d6bf8e87a4c9a.
This report at least had some check-in/C2 host info:
Although in this case, it’s not Ukraine, it’s Vietnam. Through querying Damballa’s passive DNS data, I found that it’s related to these two domains:
That pattern seems familiar. Damballa’s exclusive pDNS (Passive DNS) database contained 29053 unique “A” records for reg.hd83rd.ru over the last year, so it definitely seems like a fast-flux proxy-based network.
Some have drawn comparisons to some of the bot loader code from Carberp and other leaked or shared bot source code. I looked at the IP addresses from the pDNS query and see a large overlap with those also pointed to by the fast-flux domains used as distribution points and payment collection sites related to TeslaCrypt, especially those using the .at TLD pointing to IP addresses in Ukraine. There seems to be a large percentage of bots in Ukraine and Russia, but they range all over the world from Saudi Arabia to Vietnam to Kazakhstan.
My findings were that they are all using the same commodity cybercriminal botnet infrastructure used by recent Pony and Gozi ISFB campaigns, the same “Dark Cloud” (a.k.a. Fluxxy) infrastructure referenced here:
This virtual fast-flux network of bots is home to operators behind the most damaging Carberp, Gozi ISFB, Pony, TeslaCrypt, Rock Loader, Qakbot/Quakbot, GameOver ZeuS/Zbot, KINS, ICE IX, Zemot/Rerdom, Necurs, Tinba, and Rovnix campaigns.
The good guys have already accounted for Furtim/SFG’s evasion tactics used to keep it “off the grid” of malware intelligence. It does not appear to be a nation-state operation, and there is no specific threat to any particular sector. It appears to be a commodity, financially-incentivized malware operation using known cybercriminal proxy-based, fast-flux DNS infrastructure. However, the broad types of credentials it compromises can be used in ways with significant and far-reaching consequences. Considering the total compromise this malware effects on systems, and how well it can operate below the radar, we should do our best to keep Furtim/SFG off the electric grid… and every other system.
We should focus our intelligence efforts on mapping this fast-flux infrastructure and working with authorities to disrupt, degrade, and destroy it.