Threat Watch

FinSpy Now Armed with Complex Multilayered Infection

On Tuesday, researchers presenting at the 2021 Kaspersky’s Security Analyst Summit (SAS) reported their findings on the highly sophisticated surveillanceware, FinSpy, also known as FinFisher/Wingbird.

After an eight-month investigation, researchers Igor Kuznetsov and Georgy Kucherin found that the software has been upgraded with new infection angles, capable of running a complex series of user mode infections. They also noted that in addition to the Trojanized installers, FinSpy can load through Unified Extensible Firmware Interface (UEFI) bootkits, or in the case of older machines, through Master Boot Record (MBR) bootkits. The 300-page report detailed each module and its obfuscated shellcode.

The highly modular surveillanceware is capable of collecting and encrypting a wide range of data from infected devices. This includes stored media, OS information, browser and Virtual Private Network (VPN) credentials, Microsoft product keys, search history, Wi-Fi passwords, SSL keys, Skype recordings, and more.

According to Kuznetsov, once deployed, FinSpy encrypts all memory pages belonging to the whole infrastructure. He also emphasized that the “story is never-ending. [Developers] will keep updating and upgrading their infrastructure, all the time.”

ANALYST NOTES

Since 2014, FinSpy has been known to be a highly undetectable spyware that uses multiple evasion techniques and obfuscation measures to avoid detection or analysis. As cybersecurity experts close in on this spyware, recommendations include:

 

  • Ensure that all operating systems and software are continuously updated.
  • Download applications and programs from trusted websites.
  • Provide cybersecurity training to improve detection and reporting.
  • Protect your endpoints with Managed Detection and Response solutions, such as those provided by Binary Defense, to identify attacks in the early stages.

 

Resource:

FinSpy: unseen findings