Researchers at Citizen Lab have been monitoring the use of surveillance tools like FinFisher over the past years reporting its use by totalitarian governments.
The researchers tracked the physical locations of servers belonging to the control infrastructure used by the Germany-based FinFisher GmbH.
The infrastructure aims to cover the operation and the identity of the attackers, each FinFisher customer use master server dubbed “FinSpy Master” and multiple relays, the FinSpy Relays, that act as command and control (C&C) servers.
The FinFisher spyware, once infected the target machine, communicates with the relay servers, which act as a link to the master server.
The experts at the Citizen Lab used the Zmap tool to reveal the existence of 135 servers (FinSpy Masters and Relays). As explained by the experts the master servers are usually deployed on the customer’s meanwhile proxy servers could be located elsewhere.
“We employed zmap to scan the entire IPv4 Internet (/0) several times since the end of December 2014 and throughout 2015, using a new FinFisher server fingerprint that we devised by analyzing FinFisher samples. Our scans yielded 135 servers matching our fingerprint, which we believe are a mix of FinSpy Masters and FinSpy Relays.” states the report published by Citizen Lab.
It is curious to note that the analysis of the Relay servers used to protect the identity of the Master, allowed the researchers at the Citizen Lab to find the locations of the Masters.
If someone tries to connect the IP address of a FinSpy Relay with a common browser, he is usually presented with a decoy page, often Google.com or Yahoo.com.
The researchers discovered that if the decoy page is Google, running a query for “my ip address” the search engine will display the real IP address of the FinSpy Master.
“We found some variation in the decoy pages used by FinFisher servers that we detected, though the bulk used either www.google.com or www.yahoo.com. Peculiarly, FinSpy Relays appear to return decoy pages fetched by their FinSpy Master, rather than directly fetching the decoy pages themselves. Thus, in many cases, the pages returned by the FinSpy Relays contain location data apparently about the FinSpy Master (e.g., certain Google and Yahoo pages embed the requester’s IP address or localized weather), which can reveal the location of FinSpy Masters.” continues the report.
In the case of the Yahoo decoy page, Citizen Lab used an alternative method to obtain the FinSpy Master location, in this case, in fact, the web page’s source code contains location data because Yahoo uses it to display customized weather information and news on the homepage.
The experts highlighted that the number of servers returning decoy pages has decreased over time, the researchers identified FinFisher users in 32 countries. Last analysis conducted by the organization allowed it to identify customers in 16 countries, the newly discovered countries are Angola, Egypt, Gabon, Jordan, Kazakhstan, Kenya, Lebanon, Morocco, Oman, Paraguay, Saudi Arabia, Slovenia, Spain, Taiwan, Turkey, and Venezuela.
In some cases, the experts were able to trace the identified IP addresses to specific government offices.
The systems of FinFisher were hacked last year and hackers disclosed 40 GB of data of FinFisher government spyware.
(Security Affairs – FinFisher, FinSpy Spyware)