Researchers from SentinelOne Labs discovered the malware, which has already infected at least one European energy company, is so sneaky and advanced that it is likely believed to be the work of a wealthy nation.
The malware, dubbed 'SFG', contains about 280 kilobytes of code, featuring a vast arsenal of tools rarely seen in ordinary malware samples. It takes "extreme measures" to cleverly and stealthily evade a large number of security defenses before it drops its payload.
Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
The malware dismantles antiviruses processes one-by-one until the malware is finally safe to uninstall them all. It also encrypts key features of its code so that it could not be discovered and analyzed. It'll not execute itself if it senses it's being run in a sandbox environment.
The Windows-based malware even takes special care of features such as facial recognition, fingerprint scanners, and other advanced biometric access control systems running inside target organizations.
To gain administrative access to the infected computer, the malware sample uses a pair of privilege escalation exploits for Windows flaws (CVE-2014-4113 and CVE-2015-1701) that were patched by Microsoft in October 2014 and May 2015, respectively.
SentinelOne Chief Security Officer Udi Shamir says: "The malware has all the hallmarks of a nation-state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature."Once it has gained administrative control of a computer, the malware surveys the connected network, reports information about the infected network back to its operators, and await further instructions, giving attackers a network backdoor on targeted industrial control systems.
The backdoor could then be used to install other malware on systems for more detailed espionage or "extract data or potentially shut down the energy grid," security researchers warn.
The SFG malware is related to an earlier malware sample dubbed Furtim – another piece of highly sophisticated malware that was uncovered in May – that's also able to evade antivirus and other security defenses.
The amount of time, efforts, and resources required to create the malware means that it is the work of a team of hackers working for a wealthy nation government, though the researchers didn't reveal the nation behind the attack.
"It appears to be the work of multiple developers who've reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the [antivirus] software to stop working without the user being alerted," Shamir wrote says.You can find more technical details about the SFG malware in a report published by the security firm SentinelOne on Tuesday.
"Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state-sponsored attack, rather than a cybercriminal group."