bluebay2014 - Fotolia
SentinelOne researchers reported that the SFG malware dropper they found was created to target European energy companies, and a state-sponsored group may be behind it. The dropper includes privilege escalation exploits for two patched Windows vulnerabilities and can bypass antivirus protection. How did this malware dropper take advantage of these patched Windows vulnerabilities, and how does it evade antivirus technology?
The new malware SentinelOne discovered and named SFG has reportedly targeted at least one energy company. Attribution or speculation on the target of an individual piece of malware is difficult, if not impossible, without a significant investigation and resources devoted to the effort. SentinelOne updated its blog post to make it clear it has no evidence that the SFG malware dropper targets SCADA energy management systems.
SentinelOne discovered SFG used two local privilege escalation exploits and one user account control (UAC) bypass, but didn't report how the malware initially got on the endpoint. If the malware cannot use the UAC bypass, SFG appears to bring the standard UAC window up to trick an unsuspecting user allow the malware to run and elevate itself to an administrator status. The two exploits are from 2014 and 2015 and they can only run on targeted systems with missing patches.
SFG appears to be a malware dropper for the other malware used in the next step of an attack. SFG uses a command shell to make many changes on an infected system and to remove antimalware tools.
How SFG malware dropper bypasses detection
SentinelOne lists the lengthy steps the SFG malware dropper uses to evade antivirus technology or detection:
- It does not run on systems with certain MAC addresses, CPU information, hostnames, filenames, existing directories, kernel drivers, hardware present, BIOS, DLLs hooked, processes running, software installed like VMware tools or the ZKTeco software used for physical security systems, window names, registry keys and if running in a virtual machine, sandbox or being analyzed.
- It uses NT file system alternative data streams for storing the malware.
- It uses indirect system calls and encrypts part of the executable to make it more difficult to analyze the malware.
- If it detects antimalware tools, it changes its behavior to avoid detection by behavioral detection capabilities.
- It also changes the DNS settings to prevent antimalware tools from getting updates.
SentinelOne has a list of SHA-256 hashes for enterprises that want to check their endpoints for this malware. Enterprises should also make sure the two Windows vulnerabilities have been properly patched.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how your enterprise can prevent fileless malware attacks
Learn how new cloud malware attacks work and how to stop them
Discover how to protect ICS and SCADA systems from IronGate malware
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading