It’s not the next Stuxnet, says SentinelOne, it’s just very naughty code.
Malware hyped as aimed at the hear of power plants is nothing of the sort according to security outfit Damballa, which has put its name to analysis claiming the “SFG” malware is run-of-the-mill code without sufficient smarts to target SCADA systems.
The so-called SFG malware is the spawn of Furtim, and hit headlines as targeting industrial control systems when all it does is creates backdoors for regular data exfiltration and payload dropping.
Security outfit SentinelOne Labs found SFG and said it spotted the code infecting systems owned by an European energy company. SentinelOne said those attacks looked like the work of a nation-state.
But Damballa says the malware is a regular financially-driven menace that lacks SCADA (supervisory control and data acquisition) targeting.
“SFG is just another Furtim build,” Damballa researchers say.
“There is no code specific to attacking industrial control systems or SCADA systems.
“[SFG] does not appear to be a nation-state operation, and there is no specific threat to any particular sector.”
SentinelOne has since backtracked on its claims after copping criticism for its analysis, saying it does not have evidence that the malware was targeting SCADA systems.
“There has been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems,” the company says in an update.
“We want to emphasise that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target.”
Comparison of the original post found in Bing’s cache against the updated reveals claims that the targeted energy was European deleted, along with a footer marketing call that readers within the energy sector should reach out to the firm.
Researchers say it uses a “kitchen sink” approach to detecting the sandboxes, honeypots, and analysis efforts of white hats in a “cobbled together” mash taken from years-old malware code.
Yet it is the “most comprehensive” copy and paste effort to date.
Damballa finds the malware is also impressive in its use of the new ‘fluxxy’ fast flux infrastructure in which carding sites are built on a network of bot-bitten Russian and Ukrainian home computers that constantly shifts site IP addresses.
That fluxxy network powers malware campaigns including Carberp; Gozi ISFB; Pony; TeslaCrypt; GameOver ZeuS/Zbot, and Tinba.
“We should focus our intelligence efforts on mapping this fast-flux infrastructure and working with authorities to disrupt, degrade, and destroy it,” Damballa says.