New campaigns featuring the infamous FinFisher spyware are using a previously unseen infection vector, strongly suggesting that Internet service providers (ISPs) might be involved in the distribution process, ESET security researchers warn.
Also known as FinSpy, the malware has been around for over half a decade and is being sold exclusively to governments and their agencies worldwide for surveillance purposes. The use of this lawful interception solution has increased, and researchers observed it earlier this month abusing a .NET framework zero-day tracked as CVE-2017-8759 for distribution.
The tool has been designed with extensive spying capabilities, including live surveillance through webcams and microphones, keylogging, and exfiltration of files. Unlike other surveillance programs, however, FinFisher is marketed as a law enforcement tool. It is also believed to have been used by oppressive regimes.
The recent attacks, ESET says, show a series of technical improvements and have been observed in seven countries. The campaigns revealed the use of a man-in-the-middle (MitM) attack for distribution, and ESET believes that the “man” in the middle most likely operated at the ISP level.
Historically, FinFisher campaigns used infection mechanisms such as spear-phishing, manual installations when physical access to devices was available, 0-day exploits, and so-called watering hole attacks. The new vector, however, was observed only in two countries where the latest FinFisher spyware variants were observed.
“When the user – the target of surveillance – is about to download one of several popular (and legitimate) applications, they are redirected to a version of that application infected with FinFisher. The applications we have seen being misused to spread FinFisher are WhatsApp, Skype, Avast, WinRAR, VLC Player and some others,” the security researchers say.
Considering that the attack starts with the user searching for the affected application on the Internet, virtually any application could be misused in this way, ESET says. Once the user clicks on the download link, however, the browser is served a modified link, thus being redirected to a Trojanized package hosted on the attacker’s website. Thus, both the legitimate application and the FinFisher spyware bundled with it are installed.
The redirection, the security researchers say, is achieved through replacing the legitimate download link with a malicious one, which is delivered to the browser via an HTTP 307 Temporary Redirect status response code, suggesting that the requested content has been temporarily moved to a new URL. The redirection process, the researchers note, is performed without the user’s knowledge.
The new FinFisher versions also show an increased focus on stealth through the use of custom code virtualization to protect components such as the kernel-mode driver. The code also features a multitude of anti-disassembly tricks, along with anti-sandboxing, anti-debugging, anti-virtualization, and anti-emulation functions.
The malware was also observed masquerading as an executable file named “Threema,” a file that could be used to target privacy-concerned users, given that the legitimate Threema app offers secure instant messaging with end-to-end encryption. ESET also discovered an installation file of TrueCrypt that had been Trojanized with FinFisher.
While the attackers performing the MitM attacks could be situated at various positions between the computer and the server, the geographical dispersion of the detections suggests that the attacks are happening at a higher level, and an ISP emerges as the most probable option, the researchers say.
Supporting the assumption is the fact that leaked documents from UK-based Gamma Group, the company that initially sold FinFisher, revealed a solution called “FinFly ISP” that was being deployed on ISP networks. The tool had capabilities such as those needed to perform said type of MitM attacks. Also, the used HTTP 307 redirect is implemented in the same way in both affected countries, meaning that it was developed and/or provided by the same source.
Furthermore, all of the affected targets within a country were found to use the same ISP, and the very same redirection method and format have been previously used by ISPs to filter Internet content in at least one of the affected countries.
“The deployment of the ISP-level MitM attack technique mentioned in the leaked documents has never been revealed – until now. If confirmed, these FinFisher campaigns would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach,” ESET concludes.