FinFisher, also known as FinSpy, has a history of being used
in surveillance campaigns, both against legitimate targets and against political opposition in countries with oppressive
regimes. Despite that, the latest thorough analyses dealt with samples from as
long ago as 2010. Since then, the FinFisher spyware received strong
anti-analysis measures; apparently, this is also the reason why the most recent
reports about FinFisher don’t go into much technical detail. In one of the
reports, a reputable security company even admitted that due to strong
obfuscation, it was not possible to extract the C&C servers.
Having discovered a wave of surveillance campaigns in several
countries in mid-2017, ESET researchers dug deep into the samples of FinFisher.
To be able to start a thorough analysis of how these recent samples work, they
first had to break through all of FinFisher’s protective layers.
We have also released a whitepaper to help malware analysts and security
researchers overcome FinFisher’s advanced anti-disassembly and virtualization
features.
“The company behind FinFisher has built a
multimillion-dollar business around this spyware – so it comes as no surprise
that they put a much bigger effort into hiding and obfuscation than most common
cybercriminals. Our aim is to help our peers analyze FinFisher and thus protect
internet users from this threat,” comments Filip Kafka, ESET malware analyst
who leads the analysis of FinFisher.
Kafka expects the FinFisher creators to improve
their protections to make FinFisher hard to analyze again. “With their huge
resources, there is no doubt FinFisher will receive even better anti-analysis
features. However, I expect their additional measures to cost more to implement
while being easier to crack for us the next time around,” he says.
ESET’s research into FinFisher is ongoing. In the
first stage, ESET researchers focused on the infection vector used in the
mentioned campaigns. They strongly believe internet service providers have played the key role in infecting the victims with FinFisher.
Filip Kafka’s presentations of these findings along
with a brief overview of FinFisher’s anti-analysis capabilities raised a lot of
interest at the Virus Bulletin Conference as well as the AVAR
conference in 2017.
Learn about latest ESET research into FinFisher: “ESET’s guide to deobfuscating and devirtualizing FinFisher”