Kaspersky researchers have conducted a comprehensive study of the latest updates to the Windows, Mac OS and Linux versions of FinSpy spyware, as well as its installers. Eight months of research have revealed that FinFisher is one of the most difficult spyware to detect.
FinFisher (also known as FinSpy or Wingbird) is a monitoring tool that Kaspersky has been monitoring since 2011. The program is capable of collecting various credentials, file lists and deleted files, as well as various documents, live streams or recordings, and has access to a webcam and microphone. Its Windows plug-ins were detected and researched several times until 2018, when FinFisher seemed to disappear from the radar.
Subsequently, Kaspersky’s solutions found suspicious installers that were legitimate applications, e.g. were installers of TeamViewer, VLC Media Player, and WinRAR, and contained malicious code that could not be linked to any known malware.
Then one day they found a Burmese-language website that had copies of the infected installers and the Android version of FinFisher, so it was determined that they were all infected with the same spyware with a Trojan virus. This discovery prompted Kaspersky researchers to further investigate FinFisher.
Unlike previous versions of spyware, where the Trojan virus was contained directly in the infected application, the new instances were protected by two components: a non-persistent pre-validator and a post-validator. The first component runs several security checks to make sure that the device to be infected does not belong to a security researcher. The post-idator component is only started by the server if this check is successful. This component ensures that the victim who is intended to be infected is actually infected. Only then will the server issue a command to install the entire Trojan platform, the security company said in a statement.
The Trojan collects information using specific methods. For example, it uses developer mode in the browser to capture HTTPS-protected traffic. Researchers have also discovered an instance of FinFisher that replaces the Windows UEFI bootloader – a component that starts the operating system after the firmware starts, along with a malware. This method of infection allowed attackers to install a bootkit without bypassing firmware security checks. UEFI infections are very rare and usually difficult to perform.
Of particular concern, but also somewhat impressive, is how much energy has been put into making FinFisher unavailable to security researchers. The developers seem to have invested at least as much work in obfuscation and anti-analysis procedures as in the Trojan virus itself. Therefore, this spyware is particularly difficult to track and detect due to its ability to bypass detection and analysis. They are installed with a high degree of precision and are virtually impossible to analyze, which also means that its victims are particularly vulnerable and researchers face a special challenge, as it requires a huge amount of resources to unpack each specimen. I think that complex threats, like FinFisher, illustrate the importance of collaboration and knowledge exchange between security researchers and investing in new types of security solutions to combat similar threats. ”
He said about it Igor Kuznetsov, a senior security researcher at Kaspersky ‘s global research and analysis team.
Kaspersky recommends the following to protect against threats like FinFisher:
- Only download applications and programs from trusted websites.
- Remember to update your operating system and all software regularly. Installing updated software versions can resolve many security issues.
- By default, do not trust the attachments you receive in the email. Before you click on an attachment to open it, or before you click on a link, think carefully about whether it came from someone you know and trust, expected, clean? Hover over the link or attachment to see what its name is or where it actually takes you.
- Do not install software from unknown sources, as they may contain, and often contain, malicious files.
- Use a strong security solution on all your computers and mobile devices, such as Kaspersky Internet Security for Android or Kaspersky Total Security.