Security Experts:

New FinSpy Spyware Variants Identified, Dissected

Human rights organization Amnesty International has identified new macOS and Linux-targeting variants of the infamous FinFisher-made spyware family FinSpy.

The German company that develops FinSpy, FinFisher Gmbh, offers surveillance technology for law enforcement, but there have been many reports over the past years of its products being used by authoritarian regimes against their opponents. The FinSpy spyware has been used for roughly a decade in numerous attacks on activists, dissidents, journalists, and other individuals of interest, with attacks observed in countries such as Bahrain, Egypt, Ethiopia, Turkey, UAE, and many more.

A fully-fledged surveillance suite, FinSpy was designed to intercept communications, record audio and video from both computers and mobile devices, and steal private information.

While diving deeper into the use of FinSpy by a hacking group dubbed NilePhish, which is believed to be state sponsored, Amnesty International discovered previously unknown samples targeting Linux and macOS, along with an infrastructure to distribute the Windows variant of the spyware disguised as an Adobe Flash Player installer.

“Amnesty International has not documented human rights violations by NilePhish directly linked to FinFisher products,” the organization explains.

Amnesty International identified the Linux and macOS FinSpy samples on a server that does not appear related to NilePhish, but which likely belongs to a different spyware operator, and says that they were created between April 2019 and November 2019.

The macOS-targeting sample features a complex infection chain and also packs additional measures to hinder analysis. The binaries are obfuscated, VM checks are performed, and the first stage attempts to gain root access through a couple of exploits, or by asking the user to grant root permissions if the exploits don’t work.

The threat has a modular design, with a core component responsible for command and control (C&C) communication, and with a variety of modules that are decrypted and loaded when needed to perform various operations. Each module has its own configuration file.

Identified modules are responsible for listing files, executing shell commands, scheduling, recording audio/camera/screen, logging keystrokes (including from virtual keyboards), recording file access/modification/deletion, stealing emails, listing files on remote devices, and handling cryptography for C&C communications. Additional modules likely exist.

Communication with the C&C is performed using HTTP POST requests, with the sent data being encrypted and compressed.

Development of the macOS FinSpy samples likely started in 2013, but Amnesty International believes that the spyware was packaged for use in November 2019 only. Another sample found on VirusTotal was created in February 2018.

Patrick Wardle, principal security researcher at Jamf, who provides a detailed technical analysis of the February 2018 sample, explains that the package is not signed via macOS’s built-in codesign utility, and that it includes a batch script that runs a couple of installers, both legitimate and malicious ones, the former likely meant to distract the user.

The analyzed Linux variant of FinSpy is also modular in nature and is very similar to the macOS version, suggesting potential code sharing, although the launchers and infection chain are tailored differently, Amnesty notes.

“The modules available in the Linux sample are almost identical to the MacOS sample. The binaries are stored encrypted and obfuscated too, with a slightly different format. […] The modules available are exactly the list of modules in the MacOS sample with the addition of the module 14, which is responsible to extract data and record conversations from Skype,” the organization explains.

Amnesty identified another Linux sample on VirusTotal, one that was uploaded there in 2014. The organization also analyzed an Android sample that shows multiple layers of obfuscation, employs Unix sockets for communication between threads, stores configuration data directly in the Dex file, and can be reconfigured via SMS.

A FinSpy for Windows variant was identified as well, distributed as a backdoored version of the WinRAR software. Given that the used WinRAR variant was released in April 2019, the backdoor was likely generated between April and September 2019.

Related: Internet Providers Possibly Involved in FinFisher Surveillance Operations: Report

Related: Growing Number of Governments Using FinFisher Spyware: Report

view counter