A sample of a UEFI bootkit that loaded FinSpy provided the team with clues to its functionality. The Windows Boot Manager (bootmgfw.efi) was replaced with a malicious variant, and once loaded, two encrypted files were also triggered, a Winlogon Injector and the Trojan's main loader.
FinSpy's payload is encrypted, and once a user logs on, the loader is injected into winlogon.exe, leading to the decryption and extraction of the Trojan.
If a target machine is too old to support UEFI, this does not mean it is safe from infection. Instead, FinSpy will target the system via the MBR. It is possible for the malware to strike 32-bit machines.
The spyware is capable of capturing and exfiltrating a wide variety of data from an infected PC, including locally stored media, OS information, browser and virtual private network (VPN) credentials, Microsoft product keys, search history, Wi-Fi passwords, SSL keys, Skype recordings, and more.
On mobile, FinSpy will target contact lists, SMS messages, files in memory, email content, and GPS location coordinates. In addition, the malware can monitor Voice over IP (VoIP) communication and is able to rifle through content exchanged via apps including Facebook Messenger, Signal, Skype, WhatsApp, and WeChat.
The macOS version of FinSpy contains only one installer -- and the same applies to the Linux version. However, in the latter case, the infection vector used to deliver FinSpy is currently unknown, although it is suspected that physical access may be required.
(.EFI file that is scanned if you do a scan) .
