SentinelOne researchers reported that the SFG malware dropper they found was created to target European energy...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
companies, and a state-sponsored group may be behind it. The dropper includes privilege escalation exploits for two patched Windows vulnerabilities and can bypass antivirus protection. How did this malware dropper take advantage of these patched Windows vulnerabilities, and how does it evade antivirus technology?
The new malware SentinelOne discovered and named SFG has reportedly targeted at least one energy company. Attribution or speculation on the target of an individual piece of malware is difficult, if not impossible, without a significant investigation and resources devoted to the effort. SentinelOne updated its blog post to make it clear it has no evidence that the SFG malware dropper targets SCADA energy management systems.
SentinelOne discovered SFG used two local privilege escalation exploits and one user account control (UAC) bypass, but didn't report how the malware initially got on the endpoint. If the malware cannot use the UAC bypass, SFG appears to bring the standard UAC window up to trick an unsuspecting user allow the malware to run and elevate itself to an administrator status. The two exploits are from 2014 and 2015 and they can only run on targeted systems with missing patches.
SFG appears to be a malware dropper for the other malware used in the next step of an attack. SFG uses a command shell to make many changes on an infected system and to remove antimalware tools. SentinelOne lists the lengthy steps the SFG malware dropper uses to evade antivirus technology or detection:
- It does not run on systems with certain MAC addresses, CPU information, hostnames, filenames, existing directories, kernel drivers, hardware present, BIOS, DLLs hooked, processes running, software installed like VMware tools or the ZKTeco software used for physical security systems, window names, registry keys and if running in a virtual machine, sandbox or being analyzed.
- It uses NT file system alternative data streams for storing the malware.
- It uses indirect system calls and encrypts part of the executable to make it more difficult to analyze the malware.
- If it detects antimalware tools, it changes its behavior to avoid detection by behavioral detection capabilities.
- It also changes the DNS settings to prevent antimalware tools from getting updates.
SentinelOne has a list of SHA-256 hashes for enterprises that want to check their endpoints for this malware. Enterprises should also make sure the two Windows vulnerabilities have been properly patched.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how your enterprise can prevent fileless malware attacks
Learn how new cloud malware attacks work and how to stop them
Discover how to protect ICS and SCADA systems from IronGate malware
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.