Upon running an eight-month analysis into the FinFisher spyware toolkit, Kaspersky revealed its findings at the Security Analyst Summit 2021 on Tuesday, 28. September. The toolkit includes a four-layer obfuscation, a two-stage loader, and a new UEFI “bootkit” attack.
FinSpy, also known as FinFisher or Wingbird, is software from Gamma International, used for surveillance and sold exclusively to intelligence and law enforcement agencies.
Kaspersky has been investigating it closely ever since 2011 and observed its frequent updates, released in an attempt to circumvent detection and add new features.
“Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time,” said Kaspersky’s team in its latest report.
Namely, the software was protected by components called the pre-validator and the post-validator. These tweaks have been made to hide FinSpy’s toolkit from anti-malware detection. Pre-validator is supposed to check whether the target system belongs to a security analyst or uses malware detection. The post-validator ensures that a suitable target machine is selected. Upon performing the tests and providing the right machine has been chosen, FinSpy would download and install the Trojan.
Another concerning finding is a four-layer obfuscation system that shields the malware from detection in case it falls into the wrong hands. Kaspersky also discovered FinSpy’s UEFI bootkit, which was replacing the Windows Boot Manager with its own malicious version upon infection.
Kaspersky expressed concerns regarding the improved capabilities of spyware and the higher resistance to security analyst software. Being hard to track and detect means that the potential victims are more exposed to cyber threats.
“I believe complex threats such as FinFisher demonstrate the importance for security researchers to cooperate and exchange knowledge,” Kuznetsov added, “as well as invest in new types of security solutions that can combat such threats.”