Last-minute paper: FinFisher: New techniques and infection vectors revealed

Thursday 5 October 10:00 - 10:30, Green room

Filip Kafka (ESET)



The infamous spyware FinSpy continues to be in active use in 2017, despite the fact that a lot of security experts have been monitoring the threat. In order to avoid detection and remain in the multi-million-dollar business, the malware authors have continued active development of the malware.

On top of having received technical improvements, the latest variant uses a new cunning infection vector. In some of the cases observed by ESET researchers, Internet service providers (ISP) seem to be involved in the infection process.

The attack starts when a user – a potential surveillance target of interest – wants to download and install one of several popular applications from their legitimate – and in some cases official – websites. Applications such as WhatsApp, Skype, Avast Free Antivirus, WinRAR, VLC Player, Opera, as well as specialized software particularly used by selected groups of interest, have been abused. After clicking on the download link, the user is redirected to a version of the application that is infected with FinSpy.

The trojanized software is interesting, but this is something that has been done by other malware in the past; in fact, it is the most popular method of spreading Android malware. However, the key aspect of FinSpy’s new distribution mechanism is a unique way of serving the trojanized installers through a man-in-the-middle attack, which allows the operators to target specific victims.

While it would technically be possible to carry out such attacks using e.g. compromised Wi-Fi hotspots, the geographic spread of ESET’s detections of FinSpy and other evidence suggests the MITM attack is happening at a higher level – an ISP, we believe.

If confirmed, this FinSpy campaign would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach.

FinSpy has also evolved technically, its authors putting even greater focus on stealth. The malware uses a custom virtual machine protecting all of its parts, including the kernel-mode driver. Custom anti-sandbox, anti-disassembly, anti-debug and anti-emulation tricks have been found in the malware. This demonstrates a great deal of effort on behalf of the malware writers.

In our presentation, we will describe the background of the FinSpy spreading vectors, as well as analysing various obfuscation techniques implemented in the new FinSpy variants, which we overcame by fully devirtualizing the samples.

 

 

Filip-Kafka-web.jpg

Filip Kafka

Filip Kafka is a malware analyst in ESET's Malware Analysis Laboratory. His main responsibilities include detailed malware analyses and training new reverse engineers in the ESET Virus Lab, but his professional interests, as well as his latest research, focus on APTs. His experience as a speaker includes a reverse engineering course which he runs at the Slovak University of Technology and the Comenius University, and several events to raise awareness about malware and computer security, presented for local universities.


   Download slides    Watch video

VB2018 MONTREAL!

VB2017 OVERVIEW

VB2017 SPEAKERS

VB2017 PROGRAMME

2017 PÉTER SZŐR AWARD


Other VB2017 papers

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.