ISPs in at least two countries were involved in delivering surveillance FinFisher Spyware

Pierluigi Paganini September 21, 2017

Security researchers at ESET have uncovered a surveillance campaign using a new variant of FinFisher spyware, also known as FinSpy.

Finfisher infected victims in seven countries and experts believe that in two of them the major internet providers have been involved.

“New surveillance campaigns utilizing FinFisher, infamous spyware known also as FinSpy and sold to governments and their agencies worldwide, are in the wild. Besides featuring technical improvements, some of these variants have been using a cunning, previously-unseen infection vector with strong indicators of major internet service provider (ISP) involvement.” reads the post published by ESET.

The FinFisher spyware is for law enforcement and government use, but it seems to be preferred by regimes that desire to monitor representatives of the opposition. FinFisher is a powerful cyber espionage malware developed by Gamma Group that is able to secretly spy on victim’s computers intercepting communications, recording every keystroke as well as live surveillance through webcams and microphones.

ESET did not reveal which countries have been involved to avoid putting anyone in danger.

FinFisher is marketed as a law enforcement tool but has a history of turning up in deployments in countries with a poor reputation for human rights. The software offers covert surveillance through keylogging, and exfiltration of files, as well as live surveillance through webcams and microphones.

In the following diagram is shown a detailed diagram of the infection mechanism of latest FinFisher variants.

finfisher infection_mechanism

The novelty in the last campaigns is that in the man-in-the-middle scheme used to deliver the spyware were most likely involved ISPs. When the target is about to download one of the several popular applications (i.e. Skype, Whatsapp or VLC Player)  they are served a trojanized version of the legitimate software.

The applications we have seen being misused to spread FinFisher are WhatsApp, Skype, Avast, WinRAR, VLC Player and some others. It is important to note that virtually any application could be misused in this way.

“The applications we have seen being misused to spread FinFisher are WhatsApp, Skype, Avast, WinRAR, VLC Player and some others. It is important to note that virtually any application could be misused in this way.” continues ESET.

As part of the latest attack, when a user is about to download Skype, Whatsapp or VLC Player they are redirected to the attacker’s server where they are served up by a trojanized version of the app they were seeking that comes contaminated with FinFisher. Other consumer applications ESET has seen being misused to spread FinFisher include Avast and WinRAR.

The researchers revealed that latest version of FinFisher was improved in a significant way, the authors focused their efforts to make the spyware stealth and hard to detect.

“The spyware uses custom code virtualization to protect the majority of its components, including the kernel-mode driver. In addition, the entire code is filled with anti-disassembly tricks. We found numerous anti-sandboxing, anti-debugging, anti-virtualization and anti-emulation tricks in the spyware. All this makes the analysis more complicated.” states ESET.

ESET contacted Gamma Group to report its discovery, but the surveillance firm still has not responded.

Give a look at the ESET report to have further info on the attacks, including the IoC.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  FinFisher, FinSpy Spyware)  

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment