FinFisher spyware: hard to detect, nearly impossible to analyse
FinFisher, a surveillance spyware tool, has boosted its arsenal by adding four-layer obfuscation and advanced anti-analysis measures, as well as the employment of a UEFI bootkit to infect victims.
This suggests that the malware’s authors are doing their utmost to ensure this threat slips through the security nets. It is one of the hardest-to-detect spywares to date.
This was revealed by Kaspersky researchers, who presented a comprehensive investigation into all the recent updates introduced into FinFisher spyware for Windows, Mac OS, Linux, and its installers. he research, which took eight months to complete,
Also known as FinSpy or Wingbird, the spyware has been tracked by Kaspersky for ten years, although it went under the radar in 2018.
Kaspersy says FinFisher is now able to gather a variety of credentials, file listings and deleted files, as well as various documents, livestreaming or recording data. It can also gain access to Web cams and microphones.
Once it reared its head again, Kaspersky solutions detected suspicious installers of legitimate applications such as TeamViewer, VLC Media Player, and WinRAR, which contained malicious code that could not be connected to any known malware.
However, the company then discovered a Web site in Burmese that contained the infected installers and samples of FinFisher for Android, helping to identify they were Trojanised with the same spyware. This pushed Kaspersky researchers to investigate FinFisher further.
New and improved
Unlike previous iterations of the spyware, which contained the Trojan in the infected application at once, new samples were protected by two components, a non-persistent pre-validator and a post-validator.
The first component runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher. Once established that it does not, the post-validator component ensures that the infected victim is the intended one, and only then would the server order the fully-fledged Trojan platform to be deployed.
FinFisher is heavily obfuscated with four complex custom-made obfuscators. The primary function of this obfuscation is to slow down the analysis of the spyware. On top of that, the Trojan also employs unusual ways to gather information. For instance, it uses the developers’ mode in browsers to intercept traffic protected with a HTTPS protocol.
Kaspersky researchers also discovered a sample of FinFisher that replaced the Windows UEFI bootloader – a component that launches the operating system after firmware launch along with a malicious one.
This enables attackers to install a bootkit without having to bypass firmware security checks. UEFI infections are very rare and generally hard to execute. They stand out due to their evasiveness and persistence. While in this case the attackers did not infect the UEFI firmware itself but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine.
Nearly impossible to analyse
Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), says the amount of effort that went into making FinFisher inaccessible to researchers is both concerning and impressive.
“It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect,” he adds.
According to him, the fact that the tool is deployed with such precision and is practically impossible to analyse, makes its victims particularly vulnerable, and researchers face a significant hurdle - having to invest an overwhelming amount of resources into untangling each and every sample.
“I believe complex threats such as FinFisher demonstrate the importance for security researchers to cooperate and exchange knowledge as well as invest in new types of security solutions that can combat such threats,” he ends.
To protect from threats of this nature, Kaspersky recommends to only download apps and programs from trusted Web sites, and to update the operating system and all software regularly.
Distrust e-mail attachments by default, and avoid installing software from unknown sources, as it may, and often does, contain malicious files. Also, use a strong security solution on all computers and mobile devices.