An eight-month-long investigation by Kaspersky has revealed multiple insights about the new upgrades in the FinFisher spyware, or FinSpy, that has been active in the wild since 2011.

What has been discovered

According to the research, an upgraded version of FinSpy is using a highly sophisticated method of infection.
  • The attackers are using a UEFI bootkit to infect the target machines. This bootkit alters the genuine boot sequence of the Windows Boot Manager (via bootmgfw[.]efi file) of all infected machines.
  • Infected UEFI firmware allows bootkit malware to be installed within SPI flash storage, which is soldered to the motherboard.
  • This makes the attack highly persistent as this infection cannot be removed even via OS reinstallation or replacing the hard drive.

Using bootkits, attackers are able to control operating systems' boot process and disable the defenses by evading the Secure Boot mechanism of the system. In addition to using the bootkit, the Kaspersky report also highlighted how the authors of FinFisher put additional efforts into making it difficult for researchers to analyze.

The obfuscation and anti-analysis tactics

The malware authors were observed employing different layers of obfuscation and anti-analysis tactics in some of the FinFisher samples.
  • During its operation, a malicious component called the Pre-Validator is downloaded and launched. This makes sure that the victim machine is not being used for malware analysis. In case these security checks fail, the infection process is terminated.
  • Once all security checks are passed, the malicious server installs a component called Post-Validator, which collects additional information (like running processes) from the victim machine and sends it to the C2 server.
  • Moreover, these samples needed lots of effort and work to be unscrambled for analysis.

Apparently, the efforts turned out to be effective as most of the malware samples evaded almost all detection attempts.

Conclusion

Although FinFisher is thought to be used only by government agencies. In the past, there have been incidents when it was used in spear-phishing campaigns. The use of UEFI bootkit, advanced obfuscation, and anti-analysis tactics make FinFisher one of the most dangerous malware.
Cyware Publisher

Publisher

Cyware