A team of researchers pursued a stealthy malware called FinFisher spyware, dubbed as FinSpy for short. Almost eight months of investigation in uncovering this 2011 malware that now packs different improvements and upgrades.
What are the discoveries in this FinFisher malware?
Based on the research, a highly sophisticated malware infection method is equipped in the latest version of Finspy malware. The attackers are utilizing the UEFI bootkit to infect the target machines. The Windows Boot Manager’s genuine boot sequence may be subject to alterations using this bootkit.
The infection of UEFI firmware authorizes that the bootkit malware was installed inside the SPI flash storage, attached, and soldered to the machine’s motherboard. OS reinstallation or hard drive replacement might not be as effective as it once was since this malware is currently a highly persistent infection. All the more problematic to cybersecurity authorities.
The use of these bootkits is a very complicated mechanics for researchers to analyze. The attackers can command and control the operating systems’ boot process. They also disable the defences via evasion of the Secure Boot mechanism of the specific design. The researchers also added that the makers of FinFisher put together an extreme amount of effort in putting additional integrity and difficulty in cracking the data of the said spyware.
The anti-analysis and obscurity of this malware was a struggle for many researchers.
Multiple layers of obfuscation and anti-analysis tactics employed to some of FinFisher samples appeared in the researchers’ observation.
In the initial phase of infection, a malicious component identified as Pre-Validator is downloaded and launched. The purpose of this is to check and make sure that the target’s machine is not under any malware analysis program. In case these security checker fails; the infection process of the malicious program will be terminated.
If there is a scenario that all the security checks were passed, the malicious server will proceed to install a component named “Post-Validator.” This component will gather additional information from the target’s machine and send it to the C2 server. Furthermore, these samples need a lot more work and time to be uncovered for analysis.
Unfortunately, the results of the efforts are effective and most of the malware samples successfully evaded almost every detection attempt.
FinFisher, through the years, has been under the use of government agencies. However, there were instances where the sole purpose of this is for spear-phishing campaigns in the past. Right now, it remains one of the most dangerous and stealthiest malware in the wild because of the use of UEFI bootkit, advanced obfuscation, and anti-analysis tactics.