Kaspersky has presented the findings of an eight-month probe into the FinFisher spyware toolset – including the discovery of a UEFI “bootkit” infection method and “advanced anti-analysis methods” such as “four-layer obfuscation.”
FinFisher, also known as FinSpy, is a product from Anglo-German spy firm Gamma International and supplied exclusively to law enforcement and intelligence agencies for use as a surveillance tool. The software was allegedly used by the former Egyptian government of Hosni Mubarak to spy on dissidents and by the Bahraini government to spy on Bahraini activists in Britain – the latter resulting in the software having been found in breach of human rights.
The toolkit receives frequent updates to evade detection and add new functionality, with Kaspersky having previously investigated a 2019 update which boosted its spying capabilities to include chat, physical movement, microphone, and camera access, alongside locally stored data capture and exfiltration.
In Kaspersky’s latest report on the tool, the company’s research team claimed that Gamma International has been working on hiding the tool from anti-malware detection and even professional analysis.
“Unlike previous versions of the spyware, which contained the Trojan in the infected application right away, new samples were protected by two components: non-persistent Pre-validator and a Post-Validator,” the report said.
The pre-validator performs a range of checks to see if the system being infected might belong to a security researcher analysing the malware, refusing to allow the infection to take hold if so. Should the pre-validator not be triggered, a post-validator is provided by the command-and-control server to check that the system to be infected is indeed the target device – and only if both tests hold true will the Trojan be downloaded and installed.
The researchers also discovered a “four-layer obfuscation” system, designed to protect the malware from analysis should it somehow fall into the wrong hands, and one sample which was designed to replace the Windows Unified Extensible Firmware Interface (UEFI) bootloader with its own malicious equivalent – installing a boot-time infection without triggering firmware security checks.
“The amount of work that was put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive. It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself,” said Kaspersky’s Igor Kuznetsov in a statement as the researchers presented their findings at the Security Analyst Summit 2021 today.
“As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect. The fact that this spyware is deployed with high precision and is practically impossible to analyse also means that its victims are especially vulnerable, and researchers face a special challenge – having to invest an overwhelming amount of resources into untangling each and every sample.”
“UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence,” the researchers claimed. “While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine.”
“I believe complex threats such as FinFisher demonstrate the importance for security researchers to cooperate and exchange knowledge,” Kuznetsov concluded, “as well as invest in new types of security solutions that can combat such threats.”
Kaspersky’s advice to anyone looking to protect themselves from FinFisher and similar attacks: obtain software only from trusted websites; keep all software and the operating system itself up-to-date; “distrust email attachments by default”; and avoid installing software from unknown sources.
The full report is available to read on Kaspersky’s Securelist now. The company declined to share details about the number or identities of the targets discovered during the investigation – though it did state the two UEFI infection targets were located in Europe and Asia.
Gamma International did not respond to a request for comment at the time of publication. ®