Latest FinFisher spyware upgrades 'particularly worrying,' says Kaspersky

silversurfer

Level 76
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,572
71,427
Kaspersky has presented the findings of an eight-month probe into the FinFisher spyware toolset – including the discovery of a UEFI "bootkit" infection method and "advanced anti-analysis methods" such as "four-layer obfuscation."

FinFisher, also known as FinSpy, is a product from Anglo-German spy firm Gamma International and supplied exclusively to law enforcement and intelligence agencies for use as a surveillance tool. The software was allegedly used by the former Egyptian government of Hosni Mubarak to spy on dissidents and by the Bahraini government to spy on Bahraini activists in Britain – the latter resulting in the software having been found in breach of human rights.

The toolkit receives frequent updates to evade detection and add new functionality, with Kaspersky having previously investigated a 2019 update which boosted its spying capabilities to include chat, physical movement, microphone, and camera access, alongside locally stored data capture and exfiltration.

In Kaspersky's latest report on the tool, the company's research team claimed that Gamma International has been working on hiding the tool from anti-malware detection and even professional analysis.

"Unlike previous versions of the spyware, which contained the Trojan in the infected application right away, new samples were protected by two components: non-persistent Pre-validator and a Post-Validator," the report said.

The pre-validator performs a range of checks to see if the system being infected might belong to a security researcher analysing the malware, refusing to allow the infection to take hold if so. Should the pre-validator not be triggered, a post-validator is provided by the command-and-control server to check that the system to be infected is indeed the target device – and only if both tests hold true will the Trojan be downloaded and installed.

The researchers also discovered a "four-layer obfuscation" system, designed to protect the malware from analysis should it somehow fall into the wrong hands, and one sample which was designed to replace the Windows Unified Extensible Firmware Interface (UEFI) bootloader with its own malicious equivalent – installing a boot-time infection without triggering firmware security checks.

"The amount of work that was put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive. It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself," said Kaspersky's Igor Kuznetsov in a statement as the researchers presented their findings at the Security Analyst Summit 2021 today.

"As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect. The fact that this spyware is deployed with high precision and is practically impossible to analyse also means that its victims are especially vulnerable, and researchers face a special challenge – having to invest an overwhelming amount of resources into untangling each and every sample."

"UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence," the researchers claimed. "While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine."

"I believe complex threats such as FinFisher demonstrate the importance for security researchers to cooperate and exchange knowledge," Kuznetsov concluded, "as well as invest in new types of security solutions that can combat such threats."

Kaspersky's advice to anyone looking to protect themselves from FinFisher and similar attacks: obtain software only from trusted websites; keep all software and the operating system itself up-to-date; "distrust email attachments by default"; and avoid installing software from unknown sources.

The full report is available to read on Kaspersky's Securelist now. The company declined to share details about the number or identities of the targets discovered during the investigation – though it did state the two UEFI infection targets were located in Europe and Asia.

Gamma International did not respond to a request for comment at the time of publication. ®
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,267
42,705
The bootkit variant is very stealthy. The user-mode variant (most popular) of this sophisticated spyware still uses the very basic persistence method via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key. :unsure:

The Initial Loader​

The Initial Loader is a DLL that is launched on every startup by rundll32.exe (the Trojan adds it to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key, the value name is unique for each sample). The size of the Initial Loader exceeds 5 MB. It is obfuscated with a protector resembling the open source OLLVM obfuscator. Despite its size, the only functionality of the Initial Loader is to decrypt and launch the 32-bit Trojan Loader.
 
Last edited:

LASER_oneXM

Level 37
Verified
Feb 4, 2016
2,588
14,581

Evasiveness and persistence powerhouse​


"During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one," Kasperksy researchers revealed today.

"This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence."

UEFI (Unified Extensible Firmware Interface) firmware allows for highly persistent bootkit malware as it's installed within SPI flash storage soldered to computers' motherboard making it impossible to get rid of via hard drive replacement or even OS re-installation.

Bootkits are malicious code planted in the firmware invisible to security solutions within the operating system since it's designed to load before everything else, in the initial stage of a device's booting sequence.

 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,267
42,705
It is good to read the reference article made by Kaspersky (included also in the OP):

From the articles of TheRegister and BleepingComputer it is hard to see the full picture. They are focused on the bootkit variant and it is hard to see that other samples mentioned in these articles are in fact user-mode variants. These user-mode variants do not use the bootkit method, but adopted advanced obfuscation and anti-analysis measures to avoid the detection.

SAS_story_FinFisher_02.png

Overview of the user mode infection
The Post-Validator is used to be sure that the final malware (Trojan) is going to be used against the highly selected target. The malware is highly targeted.​
 
Top