Notorious Spyware Tool Found Hiding Beneath Four Layers of Obfuscation

  /     /     /  
Publicated : 23/11/2024   Category : security


Notorious Spyware Tool Found Hiding Beneath Four Layers of Obfuscation


FinFisher (aka FinSpy) surveillance software now goes to extreme lengths to duck analysis and discovery, researchers found in a months-long investigation.



FinFisher/FinSpy, the infamous and highly controversial commercial spyware sold by German firm FinFisher to nation-states and law enforcement for surveillance purposes, now wraps itself in four layers of obfuscation and other detection-evasion methods to elude discovery and analysis.
It took researchers at Moscow-based security firm Kaspersky eight months of full-time reverse engineering and analysis to uncover this ultra-stealthy new version of the spyware for Windows, Mac OS, and Linux. In addition to a four-layer obfuscation method, the spyware also now employs a UEFI (Unified Extensible Firmware Interface) bootkit for infecting its targets, and it also encrypts the malware in memory, according to the researchers. The Kaspersky teams research began in 2019, and they are finally sharing their findings today at Kasperskys online Security Analyst Summit.
This was one of the most complicated cases for us as researchers, says Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). They made a lot of effort just to hide everything, even from forensic activities.
The researchers had previously found malicious installers for TeamViewer, VLC Media Player, and WinRAR that had no links to any known malware. But when they found a Burmese-language website with those same installers, as well as FinFisher samples for Android, they circled back to those earlier installers and connected the dots to FinFisher/FinSpy.
Their findings also shine new light on the conventional wisdom that FinFisher had gone dark for a while starting in 2018. It may well be that the spyware attacks were alive and well this whole time but just not visible due to the complex obfuscation methods, the researchers say.
FinFishers operations have long been under scrutiny,
including by Amnesty International
. The spyware has been found targeting activists, journalists, and dissidents around the world.
The new version of the spyware shows the extreme measures its developers have taken to keep it invisible to detection and inspection: It first employs a pre-validator component to confirm the targeted device does not belong to a security researcher. If it doesnt, the post-validator confirms the infected machine belongs to the targeted victim; if it does, the malware server installs the Trojan spyware platform itself.
The spyware gathers intel from the infected machine — credentials, file listings, deleted files, documents, livestreaming or recording data, and webcam and microphone access — and employs the developer mode of the browser to hijack and intercept HTTPS traffic coming and going on the machine.
One of the plug-ins collecting encrypted communications is supposed to steal all encryption keys from the user so all of the traffic can be decrypted, Kuznetsov explains. Developer mode allows them to force the browser to write all keys on the disk for the attackers use, he says.
And most of the malware itself, which runs in memory, is encrypted. 
Only a tiny [piece of the malware] in the clear is executed, he says. So even if a forensic expert makes a live memory image, its almost impossible just to find the malware. Every page will be encrypted, and theres only one module responsible for encrypting and decrypting all these pages.
Whats especially unusual with this latest version of FinFisher/FinSpy, notes Kuznetsov, is it uses multilayer obfuscation, encryption, and a large amount of code in its platform. 
Usually [with malware attacks] we either have a lot of obfuscation and not much business logic, or we have big enterprise code with a huge infrastructure but that is not obfuscated, he says. Managing both obfuscation and encryption, and maintaining that amount of code is really complicated.
Kaspersky researchers say they cant discuss the victims whose infections they investigated. They wouldnt speculate on who was behind the attacks or what specifically they were after, either, but it was clear the attacks were all about the targeted victim. 
Its not about lateral movement, says Kuznetsov. Its just about the user of the computer.
Just how FinSpy got onto the victims machines studied by the researchers is unknown, but its possible the attackers could have physical access or had pilfered administrative credentials. Kuznetsov says the victims somehow downloaded and inadvertently installed the first stage of the malware.
One sample of FinFisher had replaced the Windows UEFI bootloader. (UEFI is the interface in a microprocessor that operates by booting the system and loading the operating system.) FinFishers malicious UEFI code then can bypass any firmware security checks. According to the researchers, FinFishers UEFI bootkit didnt infect the firmware itself but the boot stage and on a separate partition, which makes it harder to detect. 
Defenses
There are plenty of best practices to protect against FinSpy or other spyware, including the usual process of keeping software updated and only via trusted sources, avoiding opening unsolicited attachments or links, employing strong endpoint protection, and providing cybersecurity awareness training, for example, according to Kaspersky.
The researchers today published
a technical report on their findings on the Securelist blog
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Notorious Spyware Tool Found Hiding Beneath Four Layers of Obfuscation