Researchers have uncovered a sophisticated malware campaign capable of causing significant damage to the European energy sector.
Udi Shamir and Joseph Landry of endpoint protection firm SentinelOne explain why the malware, dubbed "SFG," poses a serious threat to European energy companies:
"The malware is most likely a dropper tool being used to gain access to carefully targeted network users, which is then used either to introduce the payload, which could either work to extract data or insert the malware to potentially shut down an energy grid. The exploit affects all versions of Microsoft Windows and has been developed to bypass traditional antivirus solutions, next-generation firewalls, and even more recent endpoint solutions that use sandboxing techniques to detect advanced malware."
Before it runs, SFG checks its environment. The malware prematurely terminates if it detects a sandbox or manual inspection by an analyst. If it detects anti-virus software, it carefully picks and chooses which functionalities to enable in order to evade detection. It also attempts to leverage two privilege escalation exploits--(CVE-2014- 4113 and CVE-2015-1701)--as well as aa UAC bypass to obtain administrator privileges.
With that level of access, SFG goes about removing all anti-virus software it can find before running its final payload, a binary which collects information about the infected machine and reports back to the malware's command-and-control (C&C) server over HTTP.
Shamir, who is chief security officer at SentinelOne, attributes SFG's sophistication to the work of a nation-state actor. As quoted by Help Net Security:
"The malware has all the hallmarks of a nation state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature. It appears to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted. Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group."
SFG is known to have targeted at least one European energy company, but more attacks could be on the way.
Organisations looking to protect themselves against this malware should review SentintelOne's technical report here.