Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

FinSpy Surveillance Spyware Fitted With UEFI Bootkit

Security researchers at Kaspersky have spotted signs of the notorious FinSpy surveillance spyware hijacking — and replacing — the Windows UEFI bootloader to perform stealthy infections on target machines.

Security researchers at Kaspersky have spotted signs of the notorious FinSpy surveillance spyware hijacking — and replacing — the Windows UEFI bootloader to perform stealthy infections on target machines.

This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks and serves as confirmation that the controversial vendor of “lawful interception” spyware has modernized operations to remain undetected.

“UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence,” according to Kaspersky’s Igor Kuznetsov and Georgy Kucherin. “While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine.”

In a research paper documenting what it calls “unseen findings” related to FinSpy, Kaspersky said the spyware has been tweaked since 2018 to add multiple checks to avoid the prying eyes of security researchers.

“[This is] one of the hardest-to-detect spywares to date,” the researchers said, noting that the spyware has now been fitted with four different levels of obfuscation in addition to the UEFI bootkit vector.

[ READ: New FinSpy Spyware Variants Identified, Dissected ]

Unlike previous FinSpy versions that contained the Trojan in the infected application immediately, Kaspersky found the new samples are now protected by two components: a non-persistent pre-validator and a post-validator. 

“The first component runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher. Only when the checks pass, is the post-validator component provided by the server – this component ensures that the infected victim is the intended one. Only then would the server command deployment of the full-fledged Trojan platform,” Kaspersky said.

The spyware features four complex custom-made obfuscators meant to slow down the analysis of the spyware. On top of that, the Trojan is capable of using the developers’ mode in browsers to intercept traffic protected with the HTTPS protocol.

“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” Kuznetsov said. “It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect,” he added.

[ READ: Secretive Israeli Company Behind Wave of Zero-Day Exploits ]

Kuznetsov said the UEFI infection scenario was clever and straightforward. “All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates and replaces the original Windows Boot Manager with a patched version capable of bypassing all security checks.

On older machines that do not support UEFI, Kaspersky observed infections through the MBR (Master Boot Record).  

The Kaspersky research comes at a sensitive time for commercial spyware vendors who exploit zero-days in major software products to infect every type of computing device, from iPhones to Android devices to Windows, macOS and Linux machines.

While these companies claim the surveillance tools are only sold to licensed governments and law enforcement agencies, researchers have published evidence of abuse with targets including government critics, dissidents, journalists and social workers.

Related: New FinSpy Spyware Variants Identified, Dissected 

Related: Researchers Look Inside Mobile Variants of FinFisher Spy Tools

Related: Report Says Growing Number of Governments Using FinFisher Spyware 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...