bluebay2014 - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does the SFG malware dropper evade antimalware programs?

The SFG malware dropper can bypass antimalware programs and exploit two patched vulnerabilities. Expert Nick Lewis explains how to these attacks work and how to stop them.

SentinelOne researchers reported that the SFG malware dropper they found was created to target European energy companies, and a state-sponsored group may be behind it. The dropper includes privilege escalation exploits for two patched Windows vulnerabilities and can bypass antivirus protection. How did this malware dropper take advantage of these patched Windows vulnerabilities, and how does it evade antivirus technology?

The new malware SentinelOne discovered and named SFG has reportedly targeted at least one energy company. Attribution or speculation on the target of an individual piece of malware is difficult, if not impossible, without a significant investigation and resources devoted to the effort. SentinelOne updated its blog post to make it clear it has no evidence that the SFG malware dropper targets SCADA energy management systems.

SentinelOne discovered SFG used two local privilege escalation exploits and one user account control (UAC) bypass, but didn't report how the malware initially got on the endpoint. If the malware cannot use the UAC bypass, SFG appears to bring the standard UAC window up to trick an unsuspecting user allow the malware to run and elevate itself to an administrator status. The two exploits are from 2014 and 2015 and they can only run on targeted systems with missing patches.

SFG appears to be a malware dropper for the other malware used in the next step of an attack. SFG uses a command shell to make many changes on an infected system and to remove antimalware tools.

How SFG malware dropper bypasses detection

SentinelOne lists the lengthy steps the SFG malware dropper uses to evade antivirus technology or detection:

  • It does not run on systems with certain MAC addresses, CPU information, hostnames, filenames, existing directories, kernel drivers, hardware present, BIOS, DLLs hooked, processes running, software installed like VMware tools or the ZKTeco software used for physical security systems, window names, registry keys and if running in a virtual machine, sandbox or being analyzed.
  • It uses NT file system alternative data streams for storing the malware.
  • It uses indirect system calls and encrypts part of the executable to make it more difficult to analyze the malware.
  • If it detects antimalware tools, it changes its behavior to avoid detection by behavioral detection capabilities.
  • It also changes the DNS settings to prevent antimalware tools from getting updates.

SentinelOne has a list of SHA-256 hashes for enterprises that want to check their endpoints for this malware. Enterprises should also make sure the two Windows vulnerabilities have been properly patched.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Find out how your enterprise can prevent fileless malware attacks

Learn how new cloud malware attacks work and how to stop them

Discover how to protect ICS and SCADA systems from IronGate malware

This was last published in December 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal