Notorious Spyware Tool Found Hiding Beneath Four Layers of Obfuscation

FinFisher (aka FinSpy) surveillance software now goes to extreme lengths to duck analysis and discovery, researchers found in a months-long investigation.

Sample of code from the FinFisher bootloader \efi\microsoft\boot\en-us\ directory
Kaspersky shared this sample of code from the bootloader \efi\microsoft\boot\en-us\ directory.Kaspersky Securelist blog

FinFisher/FinSpy, the infamous and highly controversial commercial spyware sold by German firm FinFisher to nation-states and law enforcement for surveillance purposes, now wraps itself in four layers of obfuscation and other detection-evasion methods to elude discovery and analysis.

It took researchers at Moscow-based security firm Kaspersky eight months of full-time reverse engineering and analysis to uncover this ultra-stealthy new version of the spyware for Windows, Mac OS, and Linux. In addition to a four-layer obfuscation method, the spyware also now employs a UEFI (Unified Extensible Firmware Interface) bootkit for infecting its targets, and it also encrypts the malware in memory, according to the researchers. The Kaspersky team's research began in 2019, and they are finally sharing their findings today at Kaspersky's online Security Analyst Summit.

"This was one of the most complicated cases for us as researchers," says Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). "They made a lot of effort just to hide everything, even from forensic activities."

The researchers had previously found malicious installers for TeamViewer, VLC Media Player, and WinRAR that had no links to any known malware. But when they found a Burmese-language website with those same installers, as well as FinFisher samples for Android, they circled back to those earlier installers and connected the dots to FinFisher/FinSpy.

Their findings also shine new light on the conventional wisdom that FinFisher had gone dark for a while starting in 2018. It may well be that the spyware attacks were alive and well this whole time but just not visible due to the complex obfuscation methods, the researchers say.

FinFisher's operations have long been under scrutiny, including by Amnesty International. The spyware has been found targeting activists, journalists, and dissidents around the world.

The new version of the spyware shows the extreme measures its developers have taken to keep it invisible to detection and inspection: It first employs a pre-validator component to confirm the targeted device does not belong to a security researcher. If it doesn't, the post-validator confirms the infected machine belongs to the targeted victim; if it does, the malware server installs the Trojan spyware platform itself.

The spyware gathers intel from the infected machine — credentials, file listings, deleted files, documents, livestreaming or recording data, and webcam and microphone access — and employs the "developer mode" of the browser to hijack and intercept HTTPS traffic coming and going on the machine.

"One of the plug-ins collecting encrypted communications is supposed to steal all encryption keys from the user so all of the traffic can be decrypted," Kuznetsov explains. Developer mode allows them to force the browser to write all keys on the disk for the attackers' use, he says.

And most of the malware itself, which runs in memory, is encrypted. 

"Only a tiny [piece of the malware] in the clear is executed," he says. "So even if a forensic expert makes a live memory image, it's almost impossible just to find the malware. Every page will be encrypted, and there's only one module responsible for encrypting and decrypting all these pages."

What's especially unusual with this latest version of FinFisher/FinSpy, notes Kuznetsov, is it uses multilayer obfuscation, encryption, and a large amount of code in its platform. 

"Usually [with malware attacks] we either have a lot of obfuscation and not much business logic, or we have big enterprise code with a huge infrastructure but that is not obfuscated," he says. "Managing both obfuscation and encryption, and maintaining that amount of code is really complicated."

Kaspersky researchers say they can't discuss the victims whose infections they investigated. They wouldn't speculate on who was behind the attacks or what specifically they were after, either, but it was clear the attacks were all about the targeted victim. 

"It's not about lateral movement," says Kuznetsov. "It's just about the user of the computer."

Just how FinSpy got onto the victim's machines studied by the researchers is unknown, but it's possible the attackers could have physical access or had pilfered administrative credentials. Kuznetsov says the victims somehow downloaded and inadvertently installed the first stage of the malware.

One sample of FinFisher had replaced the Windows UEFI bootloader. (UEFI is the interface in a microprocessor that operates by booting the system and loading the operating system.) FinFisher's malicious UEFI code then can bypass any firmware security checks. According to the researchers, FinFisher's UEFI bootkit didn't infect the firmware itself but the boot stage and on a separate partition, which makes it harder to detect. 

There are plenty of best practices to protect against FinSpy or other spyware, including the usual process of keeping software updated and only via trusted sources, avoiding opening unsolicited attachments or links, employing strong endpoint protection, and providing cybersecurity awareness training, for example, according to Kaspersky.

The researchers today published a technical report on their findings on the Securelist blog.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights