SentinelOne researchers reported that the SFG malware dropper they found was created to target European energy...
companies, and a state-sponsored group may be behind it. The dropper includes privilege escalation exploits for two patched Windows vulnerabilities and can bypass antivirus protection. How did this malware dropper take advantage of these patched Windows vulnerabilities, and how does it evade antivirus technology?
The new malware SentinelOne discovered and named SFG has reportedly targeted at least one energy company. Attribution or speculation on the target of an individual piece of malware is difficult, if not impossible, without a significant investigation and resources devoted to the effort. SentinelOne updated its blog post to make it clear it has no evidence that the SFG malware dropper targets SCADA energy management systems.
SentinelOne discovered SFG used two local privilege escalation exploits and one user account control (UAC) bypass, but didn't report how the malware initially got on the endpoint. If the malware cannot use the UAC bypass, SFG appears to bring the standard UAC window up to trick an unsuspecting user allow the malware to run and elevate itself to an administrator status. The two exploits are from 2014 and 2015 and they can only run on targeted systems with missing patches.
SFG appears to be a malware dropper for the other malware used in the next step of an attack. SFG uses a command shell to make many changes on an infected system and to remove antimalware tools.
How SFG malware dropper bypasses detection
SentinelOne lists the lengthy steps the SFG malware dropper uses to evade antivirus technology or detection:
- It does not run on systems with certain MAC addresses, CPU information, hostnames, filenames, existing directories, kernel drivers, hardware present, BIOS, DLLs hooked, processes running, software installed like VMware tools or the ZKTeco software used for physical security systems, window names, registry keys and if running in a virtual machine, sandbox or being analyzed.
- It uses NT file system alternative data streams for storing the malware.
- It uses indirect system calls and encrypts part of the executable to make it more difficult to analyze the malware.
- If it detects antimalware tools, it changes its behavior to avoid detection by behavioral detection capabilities.
- It also changes the DNS settings to prevent antimalware tools from getting updates.
SentinelOne has a list of SHA-256 hashes for enterprises that want to check their endpoints for this malware. Enterprises should also make sure the two Windows vulnerabilities have been properly patched.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how your enterprise can prevent fileless malware attacks
Learn how new cloud malware attacks work and how to stop them
Discover how to protect ICS and SCADA systems from IronGate malware
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.