Security researchers at Kaspersky have spotted signs of the notorious FinSpy surveillance spyware hijacking — and replacing — the Windows UEFI bootloader to perform stealthy infections on target machines.
This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks and serves as confirmation that the controversial vendor of “lawful interception” spyware has modernized operations to remain undetected.
“UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence,” according to Kaspersky’s Igor Kuznetsov and Georgy Kucherin. “While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine.”
In a research paper documenting what it calls “unseen findings” related to FinSpy, Kaspersky said the spyware has been tweaked since 2018 to add multiple checks to avoid the prying eyes of security researchers.
“[This is] one of the hardest-to-detect spywares to date,” the researchers said, noting that the spyware has now been fitted with four different levels of obfuscation in addition to the UEFI bootkit vector.
Unlike previous FinSpy versions that contained the Trojan in the infected application immediately, Kaspersky found the new samples are now protected by two components: a non-persistent pre-validator and a post-validator.
“The first component runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher. Only when the checks pass, is the post-validator component provided by the server – this component ensures that the infected victim is the intended one. Only then would the server command deployment of the full-fledged Trojan platform,” Kaspersky said.
The spyware features four complex custom-made obfuscators meant to slow down the analysis of the spyware. On top of that, the Trojan is capable of using the developers’ mode in browsers to intercept traffic protected with the HTTPS protocol.
“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” Kuznetsov said. “It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect,” he added.
Kuznetsov said the UEFI infection scenario was clever and straightforward. “All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates and replaces the original Windows Boot Manager with a patched version capable of bypassing all security checks.”
On older machines that do not support UEFI, Kaspersky observed infections through the MBR (Master Boot Record).
The Kaspersky research comes at a sensitive time for commercial spyware vendors who exploit zero-days in major software products to infect every type of computing device, from iPhones to Android devices to Windows, macOS and Linux machines.
While these companies claim the surveillance tools are only sold to licensed governments and law enforcement agencies, researchers have published evidence of abuse with targets including government critics, dissidents, journalists and social workers.