SentinelOne researchers reported that the SFG malware dropper they found was created to target European energy...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
companies, and a state-sponsored group may be behind it. The dropper includes privilege escalation exploits for two patched Windows vulnerabilities and can bypass antivirus protection. How did this malware dropper take advantage of these patched Windows vulnerabilities, and how does it evade antivirus technology?
The new malware SentinelOne discovered and named SFG has reportedly targeted at least one energy company. Attribution or speculation on the target of an individual piece of malware is difficult, if not impossible, without a significant investigation and resources devoted to the effort. SentinelOne updated its blog post to make it clear it has no evidence that the SFG malware dropper targets SCADA energy management systems.
SentinelOne discovered SFG used two local privilege escalation exploits and one user account control (UAC) bypass, but didn't report how the malware initially got on the endpoint. If the malware cannot use the UAC bypass, SFG appears to bring the standard UAC window up to trick an unsuspecting user allow the malware to run and elevate itself to an administrator status. The two exploits are from 2014 and 2015 and they can only run on targeted systems with missing patches.
SFG appears to be a malware dropper for the other malware used in the next step of an attack. SFG uses a command shell to make many changes on an infected system and to remove antimalware tools. SentinelOne lists the lengthy steps the SFG malware dropper uses to evade antivirus technology or detection:
- It does not run on systems with certain MAC addresses, CPU information, hostnames, filenames, existing directories, kernel drivers, hardware present, BIOS, DLLs hooked, processes running, software installed like VMware tools or the ZKTeco software used for physical security systems, window names, registry keys and if running in a virtual machine, sandbox or being analyzed.
- It uses NT file system alternative data streams for storing the malware.
- It uses indirect system calls and encrypts part of the executable to make it more difficult to analyze the malware.
- If it detects antimalware tools, it changes its behavior to avoid detection by behavioral detection capabilities.
- It also changes the DNS settings to prevent antimalware tools from getting updates.
SentinelOne has a list of SHA-256 hashes for enterprises that want to check their endpoints for this malware. Enterprises should also make sure the two Windows vulnerabilities have been properly patched.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how your enterprise can prevent fileless malware attacks
Learn how new cloud malware attacks work and how to stop them
Discover how to protect ICS and SCADA systems from IronGate malware
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
USB Killer devices, with the ability to destroy systems via a USB input, are available and inexpensive. Expert Nick Lewis explains how they work and ...continue reading
Exaspy spyware, which can access messages, video chats and more, was found on Android devices owned by executives. Expert Nick Lewis explains how ...continue reading
The Nemucod downloader malware is being spread through Facebook Messenger disguised as an image file. Expert Nick Lewis explains the available ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.