Kaspersky’s Secure List researchers just released new findings regarding the infamous surveillance toolset known as FinSpy, FinFisher or Wingbird.
Deeper Look into FinSpy’s Capabilities
The researchers have been tracking FinSpy’s development since 2011, with an unexplainable decrease in its detection rate for Windows in 2018. This is when the team started detecting suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader.
“Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan,” the report noted.
In addition to the trojanized installers, infections based on a UEFI or MBR bootkit were also observed. It is noteworthy that, while the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in Secure List’s report for the first time. The report features findings never seen before regarding the state of the FinSpy implants for Windows, Linux, and macOS.
The analyzed samples are protected with multiple layers of evasion techniques, including a pre-validator that runs security checks to ensure the device-to-be-infected doesn’t belong to a security researcher. The said component then downloads a host of security shellcodes from the C2 server and executes them. Each shellcode gathers specific system details, such as the current process name, and uploads it back to the server. In case a check fails, the C2 server terminates the infection process.
The UEFI Bootkit Infection
The researchers came across a UEFI bootkit that was loading FinSpy. “All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates the original Windows Boot Manager.
It is stored inside the efi\microsoft\boot\en-us\ directory, with the name consisting of hexadecimal characters. This directory contains two more files: the Winlogon Injector and the Trojan Loader. Both of them are encrypted with RC4. The decryption key is the EFI system partition GUID, which differs from one machine to another,” the report explained.
As for older machines, which do not support UEFI, they can be infected through the MBR. The user mode infection, however, appears to be the most complex one. Here are the steps of the attack scenario:
- The victim downloads a Trojanized application and executes it.
- During its normal course of operation the application connects to a C2 server, downloads and then launches a non-persistent component called the Pre-Validator. The Pre-Validator ensures that the victim machine is not used for malware analysis.
- The Pre-Validator downloads Security Shellcodes from the C2 server and executes them. In total, it deploys more than 30 shellcodes. Each shellcode collects specific system information (e.g. the current process name) and uploads it back to the server.
- In case a check fails, the C2 server terminates the infection process. Otherwise, it continues sending shellcodes.
- If all security checks pass, the server provides a component that we call the Post-Validator. It is a persistent implant likely used to ensure that the victim is the intended one. The Post-Validator collects information that allows it to identify the victim machine (running processes, recently opened documents, screenshots) and sends it to a C2 server specified in its configuration.
- Depending on the information collected, the C2 server may command the Post-Validator to deploy the full-fledged Trojan platform or remove the infection.
macOS/Linux FinSpy Orchestrator
The macOS/Linux orchestrator appears to be a simplified version of the Windows orchestrator, Secure List shared. These are the components discovered in the macOS and Linux version:
- The Virtual File System (plugins and configurations are stored in separate files)
- The ProcessWorm (its functionality is embedded into plugins)
- The communicator module (the Orchestrator exchanges data with C2 servers without additional modules)
- The application watcher (the Orchestrator does not report started or stopped processes to C2 servers)
- The functionalities of the Orchestrator remain the same: exchanging information with the C2 server, dispatching commands to plugins and managing recording files.
FinSpy is a highly-modular spyware, that has a lot of work put into in. The threat actors behind it have gone to extreme lengths to make it inaccessible to security researchers. This effort is both worrying and impressive. Equal amount of effort has been put in obfuscation, anti-analysis, and the trojan itself.
“The fact that this spyware is deployed with high precision and is practically impossible to analyze also means that its victims are especially vulnerable, and researchers face a special challenge – having to invest an overwhelming amount of resources into untangling each and every sample,” the report concluded.
Another Example of UEFI Malware
A year ago, Kaspersky discovered a new UEFI attack, where a compromised UEFI firmware image contained a malicious implant. Part of a malware framework called MosaicRegressor, the attack compromised victims with ties to North Korea between 2017 and 2019.
Unified Extensible Firmware Interface (UEFI) is a technology that connects a computer’s firmware to its operating system. The purpose of UEFI is to eventually replace the legacy BIOS. The technology is installed during manufacturing. It is also the first program running when a computer is started. Unfortunately, the technology has become a target of malicious actors in “exceptionally persistent attacks,” as Kaspersky researchers put it.