Security researchers have discovered a new campaign targeting energy companies in Western Europe with a sophisticated malware that almost goes to great lengths in order to remain undetected while targeting energy companies.
Researchers from SentinelOne Labs discovered the malware, which has already infected at least one European energy company, is so sneaky and advanced that it is likely believed to be the work of a wealthy nation.
The malware, dubbed ‚SFG‚, contains about 280 kilobytes of code, featuring a vast arsenal of tools rarely seen in ordinary malware samples. It takes „extreme measures“ to cleverly and stealthily evade a large number of security defenses before it drops its payload.
To gain administrative access to the infected computer, the malware sample uses a pair of privilege escalation exploits for Windows flaws (CVE-2014-4113 and CVE-2015-1701) that were patched by Microsoft in October 2014 and May 2015, respectively.
SentinelOne Chief Security Officer Udi Shamir says: „The malware has all the hallmarks of a nation-state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature.„
Once it has gained administrative control of a computer, the malware surveys the connected network, reports information about the infected network back to its operators, and await further instructions, giving attackers a network backdoor on targeted industrial control systems.
The amount of time, efforts, and resources required to create the malware means that it is the work of a team of hackers working for a wealthy nation government, though the researchers didn’t reveal the nation behind the attack.
„It appears to be the work of multiple developers who’ve reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the [antivirus] software to stop working without the user being alerted,“ Shamir wrote says.
„Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state-sponsored attack, rather than a cybercriminal group.“
You can find more technical details about the SFG malware in a report published by the security firm SentinelOne on Tuesday.