Recently around a mid May 2016 , a sophisticated malware nicknamed Win32/Furtim was uncovered and since then , lot of noise has been made about the attribution of the malware and the suspected targets. One of its dropped components was believed to target European energy company while others believed it to be a credential stealer. However , while the purpose of the malware and the potential targets are still unclear and perhaps under investigation , this piece of code sounded extremely interesting to me because of the fact that , it goes an extra mile to implement heterogeneous techniques to hide its behavior. This methods are wide ranged from detecting installed Anti-Virus products, virtualization ,sandboxes, monitoring tools and plenty of stuff.
I wanted to take a in-depth look at the malware to see evasion techniques used.This code also has been obfuscated by using indirect calls to the huge extent to prevent static analysis . Apparently , it must also have several anti-debugging techniques to hide itself from debuggers. It uses ZwQueryInformationProcess with ProcessDebugPort to check if the process is running under the context of the debugger.
Bypassing user-space hooks
Win32/Furtim bypasses user space hooks by directly calling ntdll APIs. Several AV products and sandboxes implement user space hooks to monitor the API calls of the process. This malware uses lower level calls to avoid being monitored by traditional hooks. Some of the ntdll APIs that it tries to resolve:
Blacklisted processor architectures
It executes CPUID instruction after loading the registers with the appropriate values to get the processor brand string and compares with the blacklisted processor architectures. If found, it will terminate :
Apart from these , CPUID instruction also reveals the hypervisor details. Below is the check performed if the malware is running under hypervisor environment.
Blacklisted hostnames
Next it tries to detect the analysis system by checking the hostname . Process will terminate if it finds the hostname matching any of the ones in the blacklist.
These hostnames should apparently correspond to known sandboxes. Below are couple of instances found:
File paths containing the known strings
Many of the automated analysis systems including commercial sandboxes tend to use the "malware" , "sample" , "virus" etc in the file name or the path. Here is the check that is performed to match the path against the known path names or string after calling GetModuleFileNameW.
VxStream sandbox
It calls GetDriveTypeW to check if Z:\ drive exists on the system as a DRIVE_FIXED and then checks for Z:\\VxStream to see if it is running inside the VxStream sandbox.
Known hooking DLLs used by AV products for behavior monitoring
Antivirus products and sandboxes attempt to monitor the behavior of the processes by injecting the DLLs into its address space. These monitoring DLLs patch the API calls in the kernel32.dll redirecting to its own stub to log the behavior or to modify the stack before the call is made. It is very unlikely that ntdll will be hooked by commercial sandboxes unless unavoidable , since it interface is not consistent and changes between OS. Win32/Furtim calls the ntdll API GetLdrDllHandle to check if any of the below monitoring DLLs is loaded in the process . If it finds one , it will terminate.
Known sandbox / monitoring tools artifacts
As another addition to the implemented evasion techniques,it calls NtQueryAttributesFile to check if the infected machine has any of the blacklisted files . This list includes the check for Cuckoo sandbox,Cwsandbox, presence of debugger , Sysanalyzer monitoring tools,Gfisandbox , malware decoders and several others . It will perhaps refuse to run or alter its behavior if any of the file is existing on the machine .
Mismatch in the number of CPU cores reported
This is yet another clever check performed by the malware. It calls NtQuerySystemInformation to populate the buffer with SYSTEM_BASIC_INFORMATION. At the offset into the structure, it will access the SYSTEM_BASIC_INFORMATION.NumberOfProcessors to see if the Number of Processors reported is 1 . It the check is successful , it matches the brand string extracted using CPUID instruction with the known CPU brand strings to validate the number of CPU cores . If this check if successful , the process will prematurely terminate .
Dynamic anlaysis apparently reveals this fact :
Blacklist of processes related to known sandboxes / monitoring tools / Virtualization environment / Honeypots
Here is one more check for running processes to see if monitoring / debuggging / static analysis tools , sandbox processes , traffic capture tools, Honeypot processes are found in the infected system.
Kernel drivers associated with AV products / Monitoring tools / Virtualization
Another extensive blacklist of loaded kernel drivers. It calls NtQuerySystemInformation with SYSTEM_MODULE_INFORMATION to get the list of loaded kernel drivers and checks is performed against the below list:
Virtul NIC cards
Following virtual NIC cards are checked as well . It any of these virtual NICs are found , it will terminate the execution.
Before this code gets executed , it also checks for system with the NIC card named "Realtek RTL8139 Family PCI Fast Ethernet NIC" , username "Antony" or Antonie" and existance of C:\\Downloads directory. This doesn't sound like a sandbox specific configuration . Perhaps it doesn't want to run on a system owned by "Antony"
Hypervisor registry keys
As if these aren't enough, it also has the checks for the Hypervisor specific known registry keys. Below is the code that checks for it .
Next to this , it accesses the registry key:\\Registry\\Machine\\HARDWARE\\DESCRIPTION\\System\ and verifies if it has following values :
- SystemBiosVersion has following data
- BOSCH - 1
- VBOX - 1
- PRLS - 1
- VideoBiosVersion has following data
- Virtualbox
DLLs associated with analysis tools and sandboxes
Below list of DLLs are usually loaded by the tools used to analyse the malware samples (SysAnalyzer etc .) . Some of these are loaded by known sandboxes ( Sandboxie , Sunbelt , Buster)
Presence of "Vmware Tools" directory under C:\
Calls GetDriveTypeW to check if the C:\ is present on the system and checks for the existance of following directories:
- C:\\Program Files\\VMware\\VMware Tools
- C:\\Program Files (x86)\\VMware\\VMware Tool ( 64 bit systems)
Presence of Virtual HD
Below two registry keys are accessed and the value extracted is checked against the known Virtual HDs . A successful match with result into termination of process.
\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\IDE
\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\SCSI
- QEMU_
- VMware
- Ven_Red_Hat&Prod_VirtIO
- DiskVBOX
- DiskVirtual
Presence of BioMetrics / Fingerprint software by ZkTeco
It is hard to believe that any malware would check for this . But it was interesting to know that it checks if ZkTeco software is installed on the system . Googling for this , apparently it is a provider of Biometrics / Fingerprint sensors . I can certainly say at this point that this malware has came out to be too restrictive. These nature of softwares wouldn't run on any automated analysis systems. Along with this, it also has the checks if the Path Names contains "Oracle" . Not sure if the author really intended to check for sandbox.
Registry check for installed traffic analyzers / analysis tools / virtual environment
Yet another list of software installations to check for in the registry.
Window class names / Window Title Names
Eventually , it also runs a check for the known window class and window title names used by sysinternals monitoring tools and sandboxes . Below is the exhaustive blacklist for that as well .
Malwares have become extremely evasive in nature to avoid running in the automated analysis systems. Authors employ variety of techniques to make static analysis time consuming and complex for the researchers as well. However , none of the techniques used in this malware is new or is something which we haven't seen before. Its just that its a comprehensive list of almost all the evasions that we would have probably came across in other malwares in the past.
Posts
