Page 22 - EngineerIT October 2021
P. 22

ICY SPYWARE


        FinFisher spyware improves its arsenal




        with four levels of obfuscation, UEFI




        infection and more






             aspersky researchers presented a comprehensive investigation into all the recent
             updates introduced into FinSpy spyware for Windows, Mac OS, Linux and its installers.
       KThe research, which took eight months to complete, uncovers four-layer obfuscation
        and advanced anti-analysis measures employed by the spyware’s developers, as well as
        the employment of a UEFI boot kit to infect victims. The findings suggest high emphasis on
        defense evasion, making FinFisher one of the hardest-to-detect spywares to date.
           FinFisher, also known as FinSpy or Wingbird, is a surveillance tool which Kaspersky
        has been tracking since 2011. It is capable of gathering various credentials, file listings and
        deleted files, as well as various documents, livestreaming or recording data and gaining
        access to a webcam and microphone. Its Windows implants were detected and researched
        several times up to 2018 when FinFisher appeared to have gone under the radar.
           After that, Kaspersky solutions detected suspicious installers of legitimate applications
        such as TeamViewer, VLC Media Player, and WinRAR, which contained malicious code
        that could not be connected to any known malware. That is, until one day they discovered
        a website in Burmese that contained the infected installers and samples of FinFisher for
        Android, helping to identify they were Trojanised with the same spyware. This discovery
        pushed Kaspersky researchers to investigate FinFisher further.
           Unlike previous versions of the spyware, which contained the Trojan in the infected   Igor Kuznetsov, principal security
        application right away, new samples were protected by two components: non-persistent   researcher at Kaspersky’s Global Research
        pre-validator and a post-validator. The first component runs multiple security checks to   and Analysis Team (GReAT).
        ensure that the device it is infecting does not belong to a security researcher. Only when
        the checks pass is the post-validator component provided by the server – this component
        ensures that the infected victim is the intended one. Only then would the server command   To protect yourself from such threats as
        deployment of the full-fledged Trojan platform.                           FinFisher, Kaspersky recommends to:
           FinFisher is heavily obfuscated with four complex custom-made obfuscators. The   •   Download your apps and programs
        primary function of this obfuscation is to slow down the analysis of the spyware. On top of   from trusted websites.
        that, the Trojan also employs peculiar ways to gather information. For instance, it uses the   •   Don’t forget to update your
        developers’ mode in browsers to intercept traffic protected with a HTTPS protocol.  operating system and all software
           The researchers also discovered a sample of FinFisher that replaced the Windows   regularly. Many safety issues can be
        UEFI boot loader – a component that launches the operating system after firmware   solved by installing updated versions
        launch along with a malicious one. This way of infection allowed the attackers to install a   of software.
        boot kit without the need to bypass firmware security checks. UEFI infections are very rare   •   Distrust e-mail attachments by
        and generally hard to execute but they stand out due to their evasiveness and persistence.   default. Before clicking to open an
        While in this case the attackers did not infect the UEFI firmware itself, but its next boot   attachment or follow a link, consider
        stage, the attack was particularly stealthy as the malicious module was installed on a   carefully: is it from someone you know
        separate partition and could control the boot process of the infected machine.  and trust; is it expected; is it clean?
           “The amount of work put into making FinFisher not accessible to security researchers is   Hover over links and attachments
        particularly worrying and somewhat impressive. It seems like the developers put at least as   to see what they’re named or where
        much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its   they really go.
        capabilities to evade any detection and analysis make this spyware particularly hard to track and   •   Avoid installing software from
        detect. The fact that this spyware is deployed with high precision and is practically impossible   unknown sources. It may and
        to analyse also means that its victims are especially vulnerable, and researchers face a special   often does contain malicious files.
        challenge – having to invest an overwhelming amount of resources into untangling each   •   Use a strong security solution on all
        and every sample. I believe complex threats such as FinFisher demonstrate the importance   computers and mobile devices,
        for security researchers to cooperate and exchange knowledge as well as invest in new      such as Kaspersky Internet Security
        types of security solutions that can combat such threats,” comments Igor Kuznetsov,   for Android or Kaspersky Total
        principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).  Security.      n



                                                  EngineerIT | October 2021 | 20
   17   18   19   20   21   22   23   24   25   26   27