Latest FinFisher spyware upgrades 'particularly worrying,' says Kaspersky

Eight-month analysis finds four-layer obfuscation, two-stage loader, and a new UEFI attack


Kaspersky has presented the findings of an eight-month probe into the FinFisher spyware toolset – including the discovery of a UEFI "bootkit" infection method and "advanced anti-analysis methods" such as "four-layer obfuscation."

FinFisher, also known as FinSpy, is a product from Anglo-German spy firm Gamma International and supplied exclusively to law enforcement and intelligence agencies for use as a surveillance tool. The software was allegedly used by the former Egyptian government of Hosni Mubarak to spy on dissidents and by the Bahraini government to spy on Bahraini activists in Britain – the latter resulting in the software having been found in breach of human rights.

The toolkit receives frequent updates to evade detection and add new functionality, with Kaspersky having previously investigated a 2019 update which boosted its spying capabilities to include chat, physical movement, microphone, and camera access, alongside locally stored data capture and exfiltration.

In Kaspersky's latest report on the tool, the company's research team claimed that FinFisher's creators have been working on hiding the tool from anti-malware detection and even professional analysis.

"Unlike previous versions of the spyware, which contained the Trojan in the infected application right away, new samples were protected by two components: non-persistent Pre-validator and a Post-Validator," the report said.

The pre-validator performs a range of checks to see if the system being infected might belong to a security researcher analysing the malware, refusing to allow the infection to take hold if so. Should the pre-validator not be triggered, a post-validator is provided by the command-and-control server to check that the system to be infected is indeed the target device – and only if both tests hold true will the Trojan be downloaded and installed.

The researchers also discovered a "four-layer obfuscation" system, designed to protect the malware from analysis should it somehow fall into the wrong hands, and one sample which was designed to replace the Windows Unified Extensible Firmware Interface (UEFI) bootloader with its own malicious equivalent – installing a boot-time infection without triggering firmware security checks.

"The amount of work that was put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive. It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself," said Kaspersky's Igor Kuznetsov in a statement as the researchers presented their findings at the Security Analyst Summit 2021 today.

"As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect. The fact that this spyware is deployed with high precision and is practically impossible to analyse also means that its victims are especially vulnerable, and researchers face a special challenge – having to invest an overwhelming amount of resources into untangling each and every sample."

"UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence," the researchers claimed. "While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine."

"I believe complex threats such as FinFisher demonstrate the importance for security researchers to cooperate and exchange knowledge," Kuznetsov concluded, "as well as invest in new types of security solutions that can combat such threats."

Kaspersky's advice to anyone looking to protect themselves from FinFisher and similar attacks: obtain software only from trusted websites; keep all software and the operating system itself up-to-date; "distrust email attachments by default"; and avoid installing software from unknown sources.

The full report is available to read on Kaspersky's Securelist now. The company declined to share details about the number or identities of the targets discovered during the investigation – though it did state the two UEFI infection targets were located in Europe and Asia.

Gamma International did not respond to a request for comment at the time of publication. ®


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021