FinFisher: New techniques and infection vector revealed

Filip Kafka , Malware Analyst , ESET

The infamous spyware FinSpy continues to be in active use in 2017, despite the fact a lot of security experts have been monitoring the threat. In order to avoid detection and stay in the multi-million dollar business, the malware authors continue in an active development of the malware.

On top of having received technical improvements, the new variant uses a new cunning infection vector. In some cases ESET researchers observed, internet service providers (ISP) seem to be involved in the infection process.

The attack starts when a user – potential surveillance target of interest – wants to download and install one of several popular applications from their legitimate – and in some cases official – websites. Applications such as WhatsApp, Skype, Avast, WinRAR, VLC Player, Opera, as well as specialized software particularly used by selected groups of interest, have been abused. After clicking on the download link, the user is redirected to a version of the application infected with FinSpy.

The trojanized software is interesting but that has been done by other malware in the past; in fact, it is the most popular method of spreading Android malware. However, the key aspect of FinSpy’s new distribution mechanism is a unique way of serving the trojanized installers through a man-in-the-middle attack, which allows the operators to target specific victims.

While it would be technically possible to carry out such attacks using e.g. a compromised Wi-Fi hotspots, the geographical dispersion of ESET’s detections of FinSpy and other evidence suggests the MITM attack is happening at a higher level – an ISP arises as the most probable option.

If confirmed, this FinSpy campaign would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach.

FinSpy has also evolved technically, its authors putting even greater focus on stealth. The malware uses a custom virtual machine protecting all of its parts, including the kernel-mode driver. Custom anti-sandbox, anti-disassembly, anti-debug and anti-emulation tricks have been found in the malware. This demonstrates a great deal of effort on behalf of the malware writers.

In the presentation, we will describe the background of the FinSpy spreading vectors, provide a more detailed evidence that the redirection is happening at the ISP level, as well as analyze various obfuscation techniques implemented in the new FinSpy variants, which we overcame by fully devirtualizing the samples.

Filip Kafka
Filip Kafka is a malware analyst at ESET’s Malware Analysis Laboratory. His main responsibilities include detailed malware analyses and training new reverse engineers in the ESET Virus Lab, but his professional interests, as well as his latest research, focus on APTs. His experience as a speaker includes speaking in VirusBulletin conference, a reverse engineering course which he runs at the Slovak University of Technology and the Comenius University, workshops of reverse engineering and malware research done in London, Brno, Bratislava and several events to raise awareness about malware and computer security, presented for local universities.