The malware's name comes from Latin and means 'stealthy,' Yotam Gottesman, a Senior Security Researcher at enSilo explains, adding that
the program goes through great lengths to avoid being caught by security parties: it includes checks for 400 security products. Should any of the products on this extensive list be found on the targeted machine, the malware terminates itself and leaves the computer unharmed.
Built to target Windows computers, the malware was first discovered by a researcher that goes by the name of @hFireF0X, who noticed that none of the 56 anti-virus programs tested by VirusTotal service detected the new threat. It's unclear who is behind the malware as of now, but it is clear that the actor would abort infection rather than being caught.
Furtim is deployed as a binary file named “native.dll,” which is a driver supposedly meant to be loaded by the kernel, researchers explain. The analyzed sample was 295 KB in size, was compiled on October 22, 2015, and came unpacked, although it did show protection mechanisms.
Gottesman explains that strings in the sample are obfuscated, the binary contains other encrypted parts, and calls are made dynamically through a large structure that contains function pointers, albeit anti-debugging protection is not present. The analysis revealed the structure for function calls and a loop that decrypts strings that, when run, reveal plaintext strings and a struct full of function pointers.
The most interesting part of the malware was its ability to search the infected machine for registry entries or service executable names of 400 security programs, including well-known and very rare products. As soon as traces of such a program are discovered on the compromised system, the malware terminates itself.
The malicious program also checks for virtualization environments, being aware of all major virtualization and sandboxing products and avoiding them. Additionally, the malware knows of DNS filtering services due to its scanning of the network interfaces on the infected machine.
