FinFisher spyware upgrades arsenal with four levels of obfuscation, UEFI infection and more

Kaspersky researchers presented a comprehensive investigation of all recent updates introduced in FinSpy spyware for Windows, Mac OS, Linux and its installers. The research, which spanned eight months, reveals four-layered obfuscation and advanced anti-scanning measures used by the spyware developers, as well as the use of an UEFI bootkit to infect victims. The results suggest a strong emphasis on defense evasion, making FinFisher one of the most difficult to detect spyware to date. FinFisher, also known as FinSpy or Wingbird, is a monitoring tool that Kaspersky has been following since 2011. It is capable of collecting various credentials, lists of files and deleted files, as well as various documents, live streaming or data logging, and access a webcam and microphone. His Windows implants were repeatedly detected and searched until 2018, when FinFisher seemed to go unnoticed. After that, Kaspersky solutions detected suspicious installers of legitimate apps like TeamViewer, VLC Media Player, and WinRAR, which contained malicious code that could not be connected to any known malware. That is, until one day they discovered a Burmese-language website that contained infected installers and samples of FinFisher for Android, helping to identify that they were a Trojan horse with the same spyware. This discovery prompted Kaspersky researchers to investigate FinFisher further. Unlike previous versions of the spyware, which immediately contained the Trojan in the infected application, the new samples were protected by two components: a non-persistent pre-validator and a post-validator. The first component performs several security checks to ensure that the device it infects does not belong to a security researcher. It is only when the checks are successful that the Post-Validator component is provided by the server – this component ensures that the infected victim is the intended victim. Only then would the server order the deployment of the full-fledged Trojan platform. FinFisher is heavily obscured with four intricate bespoke obfuscators. The main function of this obfuscation is to slow down the analysis of spyware. In addition to this, the Trojan also uses special means to collect information. For example, it uses developer mode in browsers to intercept traffic protected by an HTTPS protocol. Researchers also discovered a sample from FinFisher that replaced Windows UEFI boot loader – a component that launches the operating system after firmware launches with a malicious component. This mode of infection allowed attackers to install a bootkit without needing to bypass firmware security controls. UEFI infections are very rare and generally difficult to perform, distinguished by their evasiveness and persistence. While in this case, the attackers did not infect the UEFI firmware itself, but its next boot step, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process. from the infected machine. “The amount of work that goes into making FinFisher inaccessible to security researchers is particularly disturbing and somewhat impressive. It seems the developers are putting at least as much work into obfuscation and anti-scanning measures as they do into the Trojan itself. As a result, its ability to evade detection and analysis makes this spyware particularly difficult to track and detect, ”comments Igor Kuznetsov, senior security researcher in the Kaspersky Global Research and Analysis team (GReAT ). “The fact that this spyware is deployed with great precision and is virtually impossible to analyze also means that its victims are particularly vulnerable, and researchers face a particular challenge: having to invest an overwhelming amount of resources to unravel each sample. I believe that complex threats such as FinFisher demonstrate the importance for security researchers to cooperate and exchange knowledge, as well as to invest in new types of security solutions capable of combating these threats, ”adds Kuznetsov. . To protect yourself against threats such as FinFisher, Kaspersky recommends that you: Download your applications and programs from trusted websites. Remember to update your operating system and all software regularly. Many security issues can be resolved by installing updated versions of the software. Beware of attachments in default emails. Before clicking to open an attachment or following a link, think carefully about the following: is this from someone you know and trust; is this expected; it’s clean ? Hover over links and attachments to see their name or actual destination. Avoid installing software from unknown sources. It can and often does contain malicious files. Use a powerful security solution on all computers and mobile devices, such as Kaspersky Internet Security for Android or Kaspersky Total Security. For the protection of businesses, Kaspersky suggests the following: Establish a policy for the use of non-professional software. Educate your employees about the risks of downloading unauthorized apps from untrusted sources. Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques. Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation and rapid resolution of incidents. Provide your SOC team with access to the latest threat intelligence and regularly improve it with professional training. All of the above is available as part of Kaspersky Expert Security. In addition to adequate endpoint protection, dedicated services can help you against large-scale attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks early on, before attackers achieve their goals.