Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New FinSpy Spyware Variants Identified, Dissected

Human rights organization Amnesty International has identified new macOS and Linux-targeting variants of the infamous FinFisher-made spyware family FinSpy.

Human rights organization Amnesty International has identified new macOS and Linux-targeting variants of the infamous FinFisher-made spyware family FinSpy.

The German company that develops FinSpy, FinFisher Gmbh, offers surveillance technology for law enforcement, but there have been many reports over the past years of its products being used by authoritarian regimes against their opponents. The FinSpy spyware has been used for roughly a decade in numerous attacks on activists, dissidents, journalists, and other individuals of interest, with attacks observed in countries such as Bahrain, Egypt, Ethiopia, Turkey, UAE, and many more.

A fully-fledged surveillance suite, FinSpy was designed to intercept communications, record audio and video from both computers and mobile devices, and steal private information.

While diving deeper into the use of FinSpy by a hacking group dubbed NilePhish, which is believed to be state sponsored, Amnesty International discovered previously unknown samples targeting Linux and macOS, along with an infrastructure to distribute the Windows variant of the spyware disguised as an Adobe Flash Player installer.

“Amnesty International has not documented human rights violations by NilePhish directly linked to FinFisher products,” the organization explains.

Amnesty International identified the Linux and macOS FinSpy samples on a server that does not appear related to NilePhish, but which likely belongs to a different spyware operator, and says that they were created between April 2019 and November 2019.

The macOS-targeting sample features a complex infection chain and also packs additional measures to hinder analysis. The binaries are obfuscated, VM checks are performed, and the first stage attempts to gain root access through a couple of exploits, or by asking the user to grant root permissions if the exploits don’t work.

The threat has a modular design, with a core component responsible for command and control (C&C) communication, and with a variety of modules that are decrypted and loaded when needed to perform various operations. Each module has its own configuration file.

Advertisement. Scroll to continue reading.

Identified modules are responsible for listing files, executing shell commands, scheduling, recording audio/camera/screen, logging keystrokes (including from virtual keyboards), recording file access/modification/deletion, stealing emails, listing files on remote devices, and handling cryptography for C&C communications. Additional modules likely exist.

Communication with the C&C is performed using HTTP POST requests, with the sent data being encrypted and compressed.

Development of the macOS FinSpy samples likely started in 2013, but Amnesty International believes that the spyware was packaged for use in November 2019 only. Another sample found on VirusTotal was created in February 2018.

Patrick Wardle, principal security researcher at Jamf, who provides a detailed technical analysis of the February 2018 sample, explains that the package is not signed via macOS’s built-in codesign utility, and that it includes a batch script that runs a couple of installers, both legitimate and malicious ones, the former likely meant to distract the user.

The analyzed Linux variant of FinSpy is also modular in nature and is very similar to the macOS version, suggesting potential code sharing, although the launchers and infection chain are tailored differently, Amnesty notes.

“The modules available in the Linux sample are almost identical to the MacOS sample. The binaries are stored encrypted and obfuscated too, with a slightly different format. […] The modules available are exactly the list of modules in the MacOS sample with the addition of the module 14, which is responsible to extract data and record conversations from Skype,” the organization explains.

Amnesty identified another Linux sample on VirusTotal, one that was uploaded there in 2014. The organization also analyzed an Android sample that shows multiple layers of obfuscation, employs Unix sockets for communication between threads, stores configuration data directly in the Dex file, and can be reconfigured via SMS.

A FinSpy for Windows variant was identified as well, distributed as a backdoored version of the WinRAR software. Given that the used WinRAR variant was released in April 2019, the backdoor was likely generated between April and September 2019.

Related: Internet Providers Possibly Involved in FinFisher Surveillance Operations: Report

Related: Growing Number of Governments Using FinFisher Spyware: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.