FinFisher/FinSpy, the infamous and highly controversial commercial spyware sold by German firm FinFisher to nation-states and law enforcement for surveillance purposes, now wraps itself in four layers of obfuscation and other detection-evasion methods to elude discovery and analysis.
It took researchers at Moscow-based security firm Kaspersky eight months of full-time reverse engineering and analysis to uncover this ultra-stealthy new version of the spyware for Windows, Mac OS, and Linux. In addition to a four-layer obfuscation method, the spyware also now employs a UEFI (Unified Extensible Firmware Interface) bootkit for infecting its targets, and it also encrypts the malware in memory, according to the researchers. The Kaspersky team’s research began in 2019, and they are finally sharing their findings today at Kaspersky’s online Security Analyst Summit.
“This was one of the most complicated cases for us as researchers,” says Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “They made a lot of effort just to hide everything, even from forensic activities.”
The researchers had previously found malicious installers for TeamViewer, VLC Media Player, and WinRAR that had no links to any known malware. But when they found a Burmese-language website with those same installers, as well as FinFisher samples for Android, they circled back to those earlier installers and connected the dots to FinFisher/FinSpy.
Their findings also shine new light on the conventional wisdom that FinFisher had gone dark for a while starting in 2018. It may well be that the spyware attacks were alive and well this whole time but just not visible due to the complex obfuscation methods, the researchers say.
FinFisher’s operations have long been under scrutiny, including by Amnesty International. The spyware has been found targeting activists, journalists, and dissidents around the world.
The new version of the spyware shows the extreme measures its developers have taken to keep it invisible to detection and inspection: It first employs a pre-validator component to confirm the targeted device does not belong to a security researcher. If it doesn’t, the post-validator confirms the infected machine belongs to the targeted victim; if it does, the malware server installs the Trojan spyware platform itself.
The spyware gathers intel from the infected machine — credentials, file listings, deleted files, documents, livestreaming or recording data, and webcam and microphone access — and employs the “developer mode” of the browser to hijack and intercept HTTPS traffic coming and going on the machine.
“One of the plug-ins collecting encrypted communications is supposed to steal all encryption keys from the user so all of the traffic can be decrypted,” Kuznetsov explains. Developer mode allows them to force the browser to write all keys on the disk for the attackers’ use, he says.
And most of the malware itself, which runs in memory, is encrypted.
“Only a tiny [piece of the malware] in the clear is executed,” he says. “So even if a forensic expert makes a live memory image, it’s almost impossible just to find the malware. Every page will be encrypted, and there’s only one module responsible for encrypting and decrypting all these pages.”
What’s especially unusual with this latest version of FinFisher/FinSpy, notes Kuznetsov, is it uses multilayer obfuscation, encryption, and a large amount of code in its platform.
“Usually [with malware attacks] we either have a lot of obfuscation and not much business logic, or we have big enterprise code with a huge infrastructure but that is not obfuscated,” he says. “Managing both obfuscation …….