State-sponsored malware targeting energy companies across Europe, says security firm
Researchers suspect Russian coders are involved in the campaign.
A new malware campaign, targeting energy companies in Europe, has been uncovered by security researchers. The malware's "sophistication" and "extreme" security detection evading capabilities are so good that researchers believe it is "a nation-state sponsored initiative". Researchers suspect the malware was developed by engineers located in Eastern Europe.
Security firm SentinelOne said that at least one unnamed European energy firm had been targeted by the malware, which was released in May of this year and is still active.
SentinelOne's senior researcher Joseph Landry told ArsTechnica that there might be a possibility that the malware was developed by skilled Russian coders. However, he added that the attribution theory was just a speculation.
Explaining the extensive reach of the malware, Landry said, "If you wanted an implant on a network where you could run whatever you wanted with impunity, this is that thing. All you've got to do is get this on one of the machines in the network and from there you can pivot to whatever you want."
The malware code is encrypted in a way that it is difficult to detect and analyse it. Moreover, the code is capable of not only evading security detection but also disabling and uninstalling antiviruses. Once the code gains administrative privileges, it conducts a thorough survey of the network and reports the findings to its operators and awaits further instructions.
The malware has also been designed to proceed with extreme caution when running within systems that use technically advanced authentication measures like facial recognition, fingerprint scanners and others.
SentinelOne researchers also noted that the malware-dropper was the parent of yet another stealthily operating malware called Furtim, which was first spotted in May. Furtim has several similarities to the newly uncovered malware-dropper. It is also capable of accessing account credentials to disable hibernation and/or sleep modes, in efforts to ensure that the infected system remains continuously synced with C&C (command and control) servers.
© Copyright IBTimes 2024. All rights reserved.