On Tuesday, researchers presenting at the 2021 Kaspersky’s Security Analyst Summit (SAS) reported their findings on the highly sophisticated surveillanceware, FinSpy, also known as FinFisher/Wingbird.
After an eight-month investigation, researchers Igor Kuznetsov and Georgy Kucherin found that the software has been upgraded with new infection angles, capable of running a complex series of user mode infections. They also noted that in addition to the Trojanized installers, FinSpy can load through Unified Extensible Firmware Interface (UEFI) bootkits, or in the case of older machines, through Master Boot Record (MBR) bootkits. The 300-page report detailed each module and its obfuscated shellcode.
The highly modular surveillanceware is capable of collecting and encrypting a wide range of data from infected devices. This includes stored media, OS information, browser and Virtual Private Network (VPN) credentials, Microsoft product keys, search history, Wi-Fi passwords, SSL keys, Skype recordings, and more.
According to Kuznetsov, once deployed, FinSpy encrypts all memory pages belonging to the whole infrastructure. He also emphasized that the “story is never-ending. [Developers] will keep updating and upgrading their infrastructure, all the time.”