There are signs that the FinFisher “lawful interception” spyware may be installed on command-and-control computers in at least ten different countries, including the United States, according new research from Rapid7.
Rapid7 researchers analyzed the FinFisher samples obtained from Bahrain to understand how the spyware communicates with its command-and-control computer, according to Claudio Guarnieri, a security researcher with Rapid7. He then looked for those attributes in a global scan of computers on the Internet, and found matches in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States, Guarnieri noted in a blog post on Wednesday.
FinFisher secretly monitors computers by turning on webcams, recording everything the user types with a keylogger, and intercepting Skype calls. It can also remotely take control of a computer. Gamma International, a British company, sells the tool to law enforcement agencies and governments.
“We are not able to determine whether they’re [detected machines] actually being used by any government agency, if they are operated by local people or if they are completely unrelated at all,” Guarnieri wrote.
The matches simply indicate that these computers exhibit the “unique behavior associated with what is believed to be the FinFisher infrastructure,” Guarnieri wrote. He found that when computers attempted to connect to a server in Bahrain, which had been previously identified by researchers at CitizenLab.org for using FinFisher, the server responded with the message “Hallo Steffi.”
Guarnieri found this pattern in computers located in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States, and pinpointed the IP addresses. At this time, only the Latvian server is still responding with the message, and all the other machines are “instantly dropping the connection in the exact same way,” Guarnieri said.
It’s not known whether the US-based server identified by Guarnieri is associated with law enforcement or the federal government, or whether a private entity has gotten their hands on the tool. It’s also unclear which of the countries identified by Guarnieri are in fact Gamma clients.
Gamma International has steadfastly claimed the company only sells FinFisher to governments and not to private actors. That isn’t a very reassuring statement, as there is nothing stopping someone from turning around and reselling it to someone outside the government.
“Once in the hands of local police, it might be resold/lost/leaked to other parties, who could then use it against the US/US companies/US persons,” security and privacy researcher Chris Soghoian told SecurityWeek over email.
Human rights activists and security experts have been aware of FinFisher and the possibility of the tool being used to spy on activists and regular citizens, but there haven’t been any samples to analyze until recently. In December, WikiLeaks published promotional videos from Gamma that showed how law enforcement agencies could plant FinFisher to monitor a suspect. Mikko Hypponen, chief research officer at F-Secure, said in March the company was looking for a sample in order to add detection to its security software to protect customers “from attack programs—regardless of the source of such programs.”
The first known analysis of FinFisher came from CitizenLabs.org in July. The researchers received multiple attack emails containing suspicious attachments that had been sent to several activists based in Bahrain. After some analysis, they determined the attachments were all part of the same malware family and linked the Trojan to Gamma’s FinFisher spyware tool.
Martin Muench, a managing director at Gamma International, told Bloomberg last month the company hadn’t sold FinFisher to Bahrain. He said it was likely than an old demonstration version had been copied illegally and modified for malicious use.
The malware sample Guarinieri analyzed was disguised as an image file. When opened, the file created a directory and dropped a copy of itself in the new location, Guarnieri wrote in the report. The newly created directory was used for storing dumped data, logs, and screenshots, which were later transferred to a remote command-and-control server.
Related Reading: German Government Paid €2M for R2D2 Spyware