Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

FinFisher “Lawful Interception” Spyware Found in Ten Countries, Including the U.S.

There are signs that the FinFisher “lawful interception” spyware may be installed on command-and-control computers in at least ten different countries, including the United States, according new research from Rapid7.

There are signs that the FinFisher “lawful interception” spyware may be installed on command-and-control computers in at least ten different countries, including the United States, according new research from Rapid7.

Rapid7 researchers analyzed the FinFisher samples obtained from Bahrain to understand how the spyware communicates with its command-and-control computer, according to Claudio Guarnieri, a security researcher with Rapid7. He then looked for those attributes in a global scan of computers on the Internet, and found matches in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States, Guarnieri noted in a blog post on Wednesday.

FinFisherFinFisher secretly monitors computers by turning on webcams, recording everything the user types with a keylogger, and intercepting Skype calls. It can also remotely take control of a computer. Gamma International, a British company, sells the tool to law enforcement agencies and governments.

“We are not able to determine whether they’re [detected machines] actually being used by any government agency, if they are operated by local people or if they are completely unrelated at all,” Guarnieri wrote.

The matches simply indicate that these computers exhibit the “unique behavior associated with what is believed to be the FinFisher infrastructure,” Guarnieri wrote. He found that when computers attempted to connect to a server in Bahrain, which had been previously identified by researchers at CitizenLab.org for using FinFisher, the server responded with the message “Hallo Steffi.”

Guarnieri found this pattern in computers located in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States, and pinpointed the IP addresses. At this time, only the Latvian server is still responding with the message, and all the other machines are “instantly dropping the connection in the exact same way,” Guarnieri said.

It’s not known whether the US-based server identified by Guarnieri is associated with law enforcement or the federal government, or whether a private entity has gotten their hands on the tool. It’s also unclear which of the countries identified by Guarnieri are in fact Gamma clients.

Gamma International has steadfastly claimed the company only sells FinFisher to governments and not to private actors. That isn’t a very reassuring statement, as there is nothing stopping someone from turning around and reselling it to someone outside the government.

“Once in the hands of local police, it might be resold/lost/leaked to other parties, who could then use it against the US/US companies/US persons,” security and privacy researcher Chris Soghoian told SecurityWeek over email.

Advertisement. Scroll to continue reading.

Human rights activists and security experts have been aware of FinFisher and the possibility of the tool being used to spy on activists and regular citizens, but there haven’t been any samples to analyze until recently. In December, WikiLeaks published promotional videos from Gamma that showed how law enforcement agencies could plant FinFisher to monitor a suspect. Mikko Hypponen, chief research officer at F-Secure, said in March the company was looking for a sample in order to add detection to its security software to protect customers “from attack programs—regardless of the source of such programs.”

The first known analysis of FinFisher came from CitizenLabs.org in July. The researchers received multiple attack emails containing suspicious attachments that had been sent to several activists based in Bahrain. After some analysis, they determined the attachments were all part of the same malware family and linked the Trojan to Gamma’s FinFisher spyware tool.

Martin Muench, a managing director at Gamma International, told Bloomberg last month the company hadn’t sold FinFisher to Bahrain. He said it was likely than an old demonstration version had been copied illegally and modified for malicious use.

The malware sample Guarinieri analyzed was disguised as an image file. When opened, the file created a directory and dropped a copy of itself in the new location, Guarnieri wrote in the report. The newly created directory was used for storing dumped data, logs, and screenshots, which were later transferred to a remote command-and-control server.

Related Reading: German Government Paid €2M for R2D2 Spyware

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.