Security experts are warning of newly discovered credential-stealing malware which prioritizes stealth, scoring a 0% detection rate in VirusTotal.
Furtim, a Latin word meaning “by stealth,” was first spotted by researcher
@hFireF0X and consists of a driver, a downloader and three payloads, according to
enSilo researcher Yotam Gottesman.
The payloads are: a power-saving configuration tool which ensures a victim’s machine is always on and communicating with Furtim’s C&C server; Pony Stealer – a powerful commercial credential stealer; and a third file that communicates back to the server but has yet to be fully analyzed.
Interestingly, Furtim goes to great lengths to stay hidden, going well beyond most malware in checking for the presence of over 400 security tools on the targeted PC, Gottesman claimed.
It blocks access to nearly 250 security-related sites by replacing Windows’ hosts file, and avoids DNS filtering services by scanning and replacing any known filtering nameserver to public nameservers.
Once installed, it will override any reboot policy to ensure downloaded payloads will run; disable Windows notifications and pop-ups; and block the user from accessing the command line and task manager, so they can’t kill any malicious processes, the enSilo researcher continued.