What is FinSpy malware?

Updated -

FinSpy: A sophisticated Remote Access Trojan (RAT)

FinSpy, also known as FinFisher or WingBird, is a commercial-grade surveillance malware that operates as a sophisticated Remote Access Trojan (RAT). It was developed, marketed, and sold to law enforcement and intelligence agencies worldwide and is described by The Courthouse News Service as a “lawful interception” tool. The German company who made the spyware, FinFisher Gmbh, filed for bankruptcy and dissolved the company in 2022, but the FinSpy malware is still in use.

FinSpy's core capabilities include full remote control and data exfiltration. This includes file system access, system information collection, process management, registry manipulation, screenshots, camera and microphone control, keylogging, and geolocation tracking. It also excels at communication interception, bypassing encryption in popular messaging apps and stealing emails.

For persistence, FinSpy uses advanced techniques such as infecting Master Boot Record (MBR) and Unified Extensible Firmware Interface (UEFI) for deep system control, and also utilizes registry run keys, Windows services, and macOS launch agents. It employs heavy obfuscation, anti-analysis checks, rootkit functionality, UAC bypass, and DLL sideloading and hijacking to evade detection. FinSpy has been connected to zero-day vulnerabilities like CVE-2017-8759 and CVE-2017-0199 for distribution, and continues to be deployed through existing vulnerabilities, social engineering, and sophisticated bootkit capabilities.

Understanding FinSpy’s operation and software impact

RAT malware, once installed on a victim’s device, allows an attacker to remotely control and monitor the infected system as if they had direct physical access. FireEye states, “FinSpy leverages heavily obfuscated code that employs a built-in virtual machine, among other anti-analysis techniques, to make reversing more difficult. As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

While we don't have publicly disclosed reports of a specific, newly discovered "zero-day" vulnerability being exploited to deploy FinSpy in 2023 or 2024, it's highly likely that the following are being used:

  • Existing vulnerabilities: FinSpy may leverage older, but still unpatched or widely prevalent, vulnerabilities in its attacks.
  • Social engineering: The use of trojanized software and sophisticated spear-phishing remains a primary infection vector, which relies less on a specific "exploit" of a software flaw and more on tricking the user.
  • Sophisticated persistence: FinSpy’s advanced bootkit capabilities highlight its deep-level exploitation of the system's boot process.

Core RAT capabilities of FinSpy

  • Full remote control and data exfiltration
    FinSpy gives its operators near-complete control over the infected device. This includes the following:

    • File system access: Browsing, stealing, modifying, and deleting files.
    • System information collection: Gathering detailed data about the operating system, installed software, hardware, and network configuration.
    • Process management: Listing running processes, terminating them, and even launching new ones.
    • Registry manipulation (Windows): Modifying system settings and configurations.
    • Screenshot and camera or microphone control: Remotely activating the device's camera and microphone to capture audio and video, and taking screenshots.
    • Keylogging: Recording every keystroke made by the user, capturing sensitive information like passwords, messages, and search queries.
    • Geolocation tracking: Continuously monitoring the device's GPS location.

  • Communication interception
    This is a major focus for FinSpy, given its target audience of law enforcement and intelligence, and includes the following:

    • Messaging apps: Intercepting messages and files from a wide range of popular and even encrypted messaging applications like WhatsApp, WeChat, Viber, Skype, Line, Telegram, Signal, and Threema. It can often bypass encryption by operating at a lower level or by hooking into the application itself.
    • Email clients: Stealing emails from various clients, for example, Thunderbird, Outlook, and Apple Mail.
    • VoIP call recording: Recording voice over IP (VoIP) calls made through applications like Skype.
    • Call and SMS logging (mobile): Recording incoming and outgoing calls, and capturing SMS messages.

  • Persistence mechanisms
    A crucial aspect of any RAT is its ability to remain on the system and survive reboots. FinSpy employs the following advanced techniques to achieve this:

    • Registry run keys and startup folders (Windows): Creating entries that automatically launch the malware when the system starts.
    • Windows services: Installing itself as a legitimate-looking Windows service.
    • Bootkits (MBR and UEFI): This is a particularly stealthy and persistent method.
      • MBR (Master Boot Record) bootkits: For older systems, FinSpy can infect the MBR, ensuring it loads before the operating system, making it very difficult to detect and remove.
      • UEFI (Unified Extensible Firmware Interface) bootkits: For modern systems, FinSpy has evolved to target UEFI, replacing or modifying the Windows Boot Manager to load its malicious components at the earliest possible stage of the boot process. This provides deep system control and persistence, even surviving OS reinstalls.
    • Launch agents (macOS): On macOS, it establishes persistence by writing files to directories that load applications at startup.

  • Anti-detection and evasion techniques
    FinSpy is known for the following sophisticated efforts to avoid detection by security software and researchers:

    • Heavy obfuscation: Using techniques like custom packers, XOR-based encryption, and "spaghetti code" to make reverse engineering difficult.
    • Anti-analysis checks: Detecting if it's running in a virtual machine (VM), sandbox, or debugger, and altering its behavior to avoid being analyzed, for example, exiting and delivering only shellcode.
    • Rootkit functionality: Hiding its presence on the system by manipulating system functions and operating at a low level.
    • UAC bypass (Windows): Bypassing user account control to gain elevated privileges without user interaction.
    • DLL sideloading and hijacking: Abusing legitimate DLLs to load its malicious components.
    • Clearing event logs: Removing traces of its activity from system logs.

Comments