New Variants of Cross-platform FinSpy Now Target Mac and Linux Users

FinSpy, a full-fledged commercial spyware suite developed by Munich-based company FinFisher Gmbh, has turned the heads of security researchers once again. Often used by law enforcement and government agencies around the world since 2011, this tool is now enhanced to target Mac and Linux users, making it a truly cross-platform across all major operating systems in the market.

Latest discovery

Recently Amnesty International researchers have observed several FinSpy campaigns targeting macOS and Linux users in Egypt. The Windows, Android, and iOS variants have already been available for quite some time.
  • The new FinSpy variants have been used for targeting the Egyptian human rights defenders and media and civil society organizations.
  • The newly discovered variants of FinSpy include Jabuka.app for Mac OS and PDF for Linux, both disclosed for the first time. 
  • These newer versions were seen exploiting a bug in Mac OS X < 10.9 (fixed in 2013 or 2014) and Python exploit for CVE-2015-5889 (targets Apple OS X before 10.11).
  • Researchers also discovered the enhanced variants for Windows (wrar571.exe) and Android (WIFI.apk) that were generated between April 2019 and November 2019.

Decade-old connection with the Egyptian regime

Investigators had found the involvement of the Egypt's state security apparatus for contracts of the sale of FinSpy with Gamma International UK Ltd almost one decade ago, in 2011.
  • Since its first discovery, FinSpy has been used to target HRDs and civil society in many countries, including Bahrain (2012), Ethiopia (2014), and Turkey (2018).
  • A threat actor dubbed NilePhish was also found distributing the FinSpy variants through a fake Adobe Flash Player download website in March 2019.

A hands-on triage

In September, Patrick Wardle, a security researcher with Jamf, published a triage of the FinSpy (macOS) malware.


Recent cross-platform malware

  • In July, the North Korean hacking group Lazarus was found using a new malware framework called MATA, which provided flexibility to target Windows, Linux, and macOS.
  • In May, Lazarus was also found distributing a new macOS variant of Dacls RAT. Windows and Linux variants of Dacls RAT were already discovered in December 2019.

Ending notes

The rapid development of cross-platform and multi-platform malware indicates increasing skills and sophisticated techniques of threat actors. To prevent such threats, experts suggest adopting a proactive security approach, which includes keeping all the operating systems and applications patched and leveraging threat intelligence insights, as well as using standard anti-malware and firewall solutions.