Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

FinFisher “Lawful Interception” Spyware Found in Ten Countries, Including the U.S.

There are signs that the FinFisher “lawful interception” spyware may be installed on command-and-control computers in at least ten different countries, including the United States, according new research from Rapid7.

There are signs that the FinFisher “lawful interception” spyware may be installed on command-and-control computers in at least ten different countries, including the United States, according new research from Rapid7.

Rapid7 researchers analyzed the FinFisher samples obtained from Bahrain to understand how the spyware communicates with its command-and-control computer, according to Claudio Guarnieri, a security researcher with Rapid7. He then looked for those attributes in a global scan of computers on the Internet, and found matches in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States, Guarnieri noted in a blog post on Wednesday.

FinFisherFinFisher secretly monitors computers by turning on webcams, recording everything the user types with a keylogger, and intercepting Skype calls. It can also remotely take control of a computer. Gamma International, a British company, sells the tool to law enforcement agencies and governments.

“We are not able to determine whether they’re [detected machines] actually being used by any government agency, if they are operated by local people or if they are completely unrelated at all,” Guarnieri wrote.

The matches simply indicate that these computers exhibit the “unique behavior associated with what is believed to be the FinFisher infrastructure,” Guarnieri wrote. He found that when computers attempted to connect to a server in Bahrain, which had been previously identified by researchers at CitizenLab.org for using FinFisher, the server responded with the message “Hallo Steffi.”

Guarnieri found this pattern in computers located in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States, and pinpointed the IP addresses. At this time, only the Latvian server is still responding with the message, and all the other machines are “instantly dropping the connection in the exact same way,” Guarnieri said.

It’s not known whether the US-based server identified by Guarnieri is associated with law enforcement or the federal government, or whether a private entity has gotten their hands on the tool. It’s also unclear which of the countries identified by Guarnieri are in fact Gamma clients.

Gamma International has steadfastly claimed the company only sells FinFisher to governments and not to private actors. That isn’t a very reassuring statement, as there is nothing stopping someone from turning around and reselling it to someone outside the government.

“Once in the hands of local police, it might be resold/lost/leaked to other parties, who could then use it against the US/US companies/US persons,” security and privacy researcher Chris Soghoian told SecurityWeek over email.

Human rights activists and security experts have been aware of FinFisher and the possibility of the tool being used to spy on activists and regular citizens, but there haven’t been any samples to analyze until recently. In December, WikiLeaks published promotional videos from Gamma that showed how law enforcement agencies could plant FinFisher to monitor a suspect. Mikko Hypponen, chief research officer at F-Secure, said in March the company was looking for a sample in order to add detection to its security software to protect customers “from attack programs—regardless of the source of such programs.”

The first known analysis of FinFisher came from CitizenLabs.org in July. The researchers received multiple attack emails containing suspicious attachments that had been sent to several activists based in Bahrain. After some analysis, they determined the attachments were all part of the same malware family and linked the Trojan to Gamma’s FinFisher spyware tool.

Martin Muench, a managing director at Gamma International, told Bloomberg last month the company hadn’t sold FinFisher to Bahrain. He said it was likely than an old demonstration version had been copied illegally and modified for malicious use.

The malware sample Guarinieri analyzed was disguised as an image file. When opened, the file created a directory and dropped a copy of itself in the new location, Guarnieri wrote in the report. The newly created directory was used for storing dumped data, logs, and screenshots, which were later transferred to a remote command-and-control server.

Related Reading: German Government Paid €2M for R2D2 Spyware

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.