Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

FinSpy Surveillance Spyware Fitted With UEFI Bootkit

Security researchers at Kaspersky have spotted signs of the notorious FinSpy surveillance spyware hijacking — and replacing — the Windows UEFI bootloader to perform stealthy infections on target machines.

Security researchers at Kaspersky have spotted signs of the notorious FinSpy surveillance spyware hijacking — and replacing — the Windows UEFI bootloader to perform stealthy infections on target machines.

This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks and serves as confirmation that the controversial vendor of “lawful interception” spyware has modernized operations to remain undetected.

“UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence,” according to Kaspersky’s Igor Kuznetsov and Georgy Kucherin. “While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine.”

In a research paper documenting what it calls “unseen findings” related to FinSpy, Kaspersky said the spyware has been tweaked since 2018 to add multiple checks to avoid the prying eyes of security researchers.

“[This is] one of the hardest-to-detect spywares to date,” the researchers said, noting that the spyware has now been fitted with four different levels of obfuscation in addition to the UEFI bootkit vector.

[ READ: New FinSpy Spyware Variants Identified, Dissected ]

Unlike previous FinSpy versions that contained the Trojan in the infected application immediately, Kaspersky found the new samples are now protected by two components: a non-persistent pre-validator and a post-validator. 

“The first component runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher. Only when the checks pass, is the post-validator component provided by the server – this component ensures that the infected victim is the intended one. Only then would the server command deployment of the full-fledged Trojan platform,” Kaspersky said.

Advertisement. Scroll to continue reading.

The spyware features four complex custom-made obfuscators meant to slow down the analysis of the spyware. On top of that, the Trojan is capable of using the developers’ mode in browsers to intercept traffic protected with the HTTPS protocol.

“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” Kuznetsov said. “It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect,” he added.

[ READ: Secretive Israeli Company Behind Wave of Zero-Day Exploits ]

Kuznetsov said the UEFI infection scenario was clever and straightforward. “All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates and replaces the original Windows Boot Manager with a patched version capable of bypassing all security checks.

On older machines that do not support UEFI, Kaspersky observed infections through the MBR (Master Boot Record).  

The Kaspersky research comes at a sensitive time for commercial spyware vendors who exploit zero-days in major software products to infect every type of computing device, from iPhones to Android devices to Windows, macOS and Linux machines.

While these companies claim the surveillance tools are only sold to licensed governments and law enforcement agencies, researchers have published evidence of abuse with targets including government critics, dissidents, journalists and social workers.

Related: New FinSpy Spyware Variants Identified, Dissected 

Related: Researchers Look Inside Mobile Variants of FinFisher Spy Tools

Related: Report Says Growing Number of Governments Using FinFisher Spyware 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.