FinFisher, also known as FinSpy or Wingbird, is a surveillance tool that Kaspersky has been tracking since 2011. The tool is capable of collecting various documents, live streaming data, and accessing webcam and microphone, as well as various credentials, file lists and deleted files. Windows implants were spotted and under observation several times until 2018, when FinFisher went under the radar.
Experts have detected suspicious installers of legitimate applications such as TeamViewer, VLC Media Player and WinRAR that contain malicious code and fail to connect to any malware.
Unlike previous versions, the spyware infected application was protected by two new components: a non-persistent pre-verifier and a post-validator. The first component performs multiple security checks to ensure that the infected device does not belong to a security researcher. Once the code is safe, the Post-Validator component kicks in on the server side and takes over the distribution of the full-fledged Trojan horse platform.
FinFisher is an example heavily mixed with four custom-built complex ‘obfuscators’. The primary function of this obfuscation is to slow down spyware analysis. The Trojan horse also resorts to bizarre ways to gather information. For example, it takes advantage of the developer mode in browsers to block traffic protected by an HTTPS protocol.
Researchers have also discovered an instance of FinFisher that replaces the Windows UEFI bootloader. This component starts the operating system with the malicious component after the system boots up. This route of infection allows attackers to run a boot kit without having to bypass firmware security checks. UEFI infections are rare and often difficult to execute, characterized by their good hiding and difficult to clean. In this example, although the attackers infected the next boot phase and not the UEFI firmware itself, the attack managed to hide because the malicious module was installed on a separate partition and was able to control the boot process of the infected machine.
Igor Kuznetsov, Chief Security Researcher of Kaspersky GReAT Global Research and Analytics Team, said: “The amount of work being done to make FinFisher accessible to security researchers is impressive and alarming. It seems that developers are just as mindful of obfuscation and anti-analysis measures as the Trojan itself. As a result, their ability to evade detection and analysis makes spyware particularly difficult to track and detect. The fact that high-precision deployment and analysis of spyware is practically impossible means its victims are vulnerable and researchers face a particular challenge. Sophisticated threats like FinFisher demonstrate the importance of security researchers collaborating, exchanging information, and investing in new security solutions that can combat such threats. I believe in you.”
To protect yourself from threats like FinFisher, follow these ways:
Download your apps and programs from trusted websites.
Don’t forget to update your operating system and all your software regularly. Many security issues can be resolved by installing updated versions of software.
Do not trust email attachments. Before you click to open an attachment or follow a link, think carefully: Is it from someone you know and trust, did you expect it, is it clean? Hover over links and attachments to see where they actually go.
Avoid installing software from unknown sources. They may contain malicious files.
Use a powerful security solution on all computers and mobile devices.