Connect with us

Hi, what are you looking for?


Malware & Threats

New FinSpy Spyware Variants Identified, Dissected

Human rights organization Amnesty International has identified new macOS and Linux-targeting variants of the infamous FinFisher-made spyware family FinSpy.

Human rights organization Amnesty International has identified new macOS and Linux-targeting variants of the infamous FinFisher-made spyware family FinSpy.

The German company that develops FinSpy, FinFisher Gmbh, offers surveillance technology for law enforcement, but there have been many reports over the past years of its products being used by authoritarian regimes against their opponents. The FinSpy spyware has been used for roughly a decade in numerous attacks on activists, dissidents, journalists, and other individuals of interest, with attacks observed in countries such as Bahrain, Egypt, Ethiopia, Turkey, UAE, and many more.

A fully-fledged surveillance suite, FinSpy was designed to intercept communications, record audio and video from both computers and mobile devices, and steal private information.

While diving deeper into the use of FinSpy by a hacking group dubbed NilePhish, which is believed to be state sponsored, Amnesty International discovered previously unknown samples targeting Linux and macOS, along with an infrastructure to distribute the Windows variant of the spyware disguised as an Adobe Flash Player installer.

“Amnesty International has not documented human rights violations by NilePhish directly linked to FinFisher products,” the organization explains.

Amnesty International identified the Linux and macOS FinSpy samples on a server that does not appear related to NilePhish, but which likely belongs to a different spyware operator, and says that they were created between April 2019 and November 2019.

The macOS-targeting sample features a complex infection chain and also packs additional measures to hinder analysis. The binaries are obfuscated, VM checks are performed, and the first stage attempts to gain root access through a couple of exploits, or by asking the user to grant root permissions if the exploits don’t work.

Advertisement. Scroll to continue reading.

The threat has a modular design, with a core component responsible for command and control (C&C) communication, and with a variety of modules that are decrypted and loaded when needed to perform various operations. Each module has its own configuration file.

Identified modules are responsible for listing files, executing shell commands, scheduling, recording audio/camera/screen, logging keystrokes (including from virtual keyboards), recording file access/modification/deletion, stealing emails, listing files on remote devices, and handling cryptography for C&C communications. Additional modules likely exist.

Communication with the C&C is performed using HTTP POST requests, with the sent data being encrypted and compressed.

Development of the macOS FinSpy samples likely started in 2013, but Amnesty International believes that the spyware was packaged for use in November 2019 only. Another sample found on VirusTotal was created in February 2018.

Patrick Wardle, principal security researcher at Jamf, who provides a detailed technical analysis of the February 2018 sample, explains that the package is not signed via macOS’s built-in codesign utility, and that it includes a batch script that runs a couple of installers, both legitimate and malicious ones, the former likely meant to distract the user.

The analyzed Linux variant of FinSpy is also modular in nature and is very similar to the macOS version, suggesting potential code sharing, although the launchers and infection chain are tailored differently, Amnesty notes.

“The modules available in the Linux sample are almost identical to the MacOS sample. The binaries are stored encrypted and obfuscated too, with a slightly different format. […] The modules available are exactly the list of modules in the MacOS sample with the addition of the module 14, which is responsible to extract data and record conversations from Skype,” the organization explains.

Amnesty identified another Linux sample on VirusTotal, one that was uploaded there in 2014. The organization also analyzed an Android sample that shows multiple layers of obfuscation, employs Unix sockets for communication between threads, stores configuration data directly in the Dex file, and can be reconfigured via SMS.

A FinSpy for Windows variant was identified as well, distributed as a backdoored version of the WinRAR software. Given that the used WinRAR variant was released in April 2019, the backdoor was likely generated between April and September 2019.

Related: Internet Providers Possibly Involved in FinFisher Surveillance Operations: Report

Related: Growing Number of Governments Using FinFisher Spyware: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...