FinFisher, is also known as FinSpy and detected by Microsoft security products as Wingbird. It uses all kinds of tricks, junk instructions and “spaghetti code”, multiple layers of virtual machines, and several known and lesser-known anti-debug and defensive measures. For learning purposes, I am recreating the hacking forensics trail of discoveries here. The resources used are at the bottom of this page.

The story

May 2012, several Bahrain activists located in the US and Bahrain started receiving emails with suspicious attachments (rar's). They sent them to journalists from Bloomberg who provided the attachments to Citizen Lab, who created a first analysis of the files.

A spokesman from Gamma International UK Ltd., the company producing FinFisher as a “Governmental IT Intrusion and Remote Monitoring Solutions” product, responded to the press stating that FinFisher was never sold to Bahrain and that a copy might have been stolen and re-engineered for some unauthorized use. Hmmm?

Rapid7 gave it a quick run in Cuckoo Sandbox, which gave some initial insights on the general behaviour of the malware: It creates a directory (the name is randomized at every execution), and drops a copy of itself in that same directory, which is also launched. This new process is the one installing the components used to retain access on the compromised machine. It then drops an additional file in the user's Temp directory and this file was observed being consistently dropped by all the other payloads associated with these attacks. The process concludes its execution by creating yet another directory, used for storing all the dumped data, logs and screenshots to be later communicated to the operators' C&C server.

The actual malware mechanics comes into play just after a first reboot following the compromise. At this point we can observe severe changes in the system and aggressive takeover of the system processes.

  • winlogon.exe is injected with malicious code: This process is used as a main container for the malware, from which it performs Process Hollowing. This is a common practice in malware development, consisting of spawning legitimate processes and, once loaded, replacing their original code with malicious code.
  • winlogon.exe starts an Internet Explorer instance with the “-nohome” options and performs the takeover: The network communication is initiated from the context of the Internet Explorer process, which is often used as a convenient way to bypass local firewalls as it is/used to be a trusted application.
  • Hooking: FinFisher installs inline user-mode hooks in functions in every running process and installs an IAT hook of the function ntdll.dll!CsrClientCallServer in winlogon.exe, which is most likely used to catch every new process registered to the CSRSS subsystem.

Because the services binded on the ports the malware tries to exchange binary data with, responded in an unusual way whenever performing any, even malformed, HTTP request, fingerprinting was easy with a cross-search of this pattern and rapid7 identified more servers with open services that responded in the exact same way in Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, USA, Mongolia, Latvia and Dubai, UAE.

The malware seemed fairly complex and well protected/obfuscated, but the infection chain seemed pretty weak and unsophisticated. The ability to fingerprint the C&C was embarrassing, particularly for malware like this. Combined, these factors really did not support the suggestion that (at that point in time) thieves had refactored the malware for black market use.

Adding junk instructions and spaghetti code is a technique that aims to confuse disassembly programs. In such cases, a reversing plugin can help normalize the code flow. The team analysing FinFisher created their own.

The code starts by allocating two chunks of memory: a global 1 MB buffer and one 64 KB buffer per thread. The first is used as index for multiple concurrent threads. A big chunk of data is extracted from the portable executable (PE) file itself and decrypted two times using a custom XOR algorithm. This data contains an array of opcode instructions ready to be interpreted by a custom virtual machine (VM).

This makes analysis using regular tools practically impossible. Static analysis may not be useful in analysing custom code that is interpreted and executed through a VM and a new set of instructions. Dynamic analysis faces the anti-debug and anti-analysis tricks hidden in the virtualised code itself that detects sandbox environments and alters the behaviour of the malware.

Armed with knowledge, the team built an opcode interpreter able to reconstruct the real code executed by FinSpy:

  • Stage 0: Dropper with custom virtual machine
  • Stage 1: Loader malware keeps sandbox and debuggers away
  • Stage 2: A second multi-platform virtual machine
  • Stage 3: Installer that takes DLL side-loading to a new level
  • Stage 4: The memory loader – Fun injection with GDI function hijacking
  • Stage 5: The final loader takes control

The team investigated the code blocks and opcode handlers (which were also obfuscated by spaghetti code). The opcode instructions generated by the custom VM are divided into different categories:

  • Logical opcodes, which implement bit-logic operators (OR, AND, NOT, XOR) and mathematical operators
  • Conditional branching opcodes, which implement a code branch based on conditions (equals to JC, JE, JZ, other similar branching opcodes)
  • Load/Store opcodes, which write to or read from particular addresses of the virtual address space of the process
  • Specialized opcodes for various purposes, like execute specialized machine instruction that are not virtualized

Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM. This data structure is 24 bytes and is composed of some fixed fields and a variable portion that depends on the opcode. Before interpreting the opcode, the VM decrypts the opcode’s content (through a simple XOR algorithm), which it then relocates (if needed), using the relocation fields.

The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization (ASLR). It is also able to move code execution into different locations if needed. For instance, in the case of the “Execute” opcode (0x17), the 32-bit code to run is stored entirely into the variable section with the value at offset 5 specifying the number of bytes to be copied and executed.

Supposedly there are “legitimate” applications for FinFisher, in law enforcement and for military purposes. Licenses for FinFisher software have been found in the offices of the overthrown president of Egypt Hosni Mubarak and malware analysts suspect that various totalitarian regimes around the world use FinFisher to spy on their opponents today. The license that the Egyptian government was using cost them an impressive 287,000 Euros and Gamma International seems to provide counselling on how to use known flaws in third-party programs in order to install FinFisher on victims' computers. One highly publicized case involving these practices occurred when a security flaw in iTunes that was not patched until 2011 was used to install FinFisher on numerous computers.

FinFisher, the spyware sold to police and tyrants around the globe, has gained the dubious honour of becoming the first piece of software judged by the Organization for Economic Co-operation and Development to have trampled human rights. The UK govt responded along the lines of “Bahraini sales were dodgy, please don't do it again.”

That is not going to bother the German-British company FinFisher (previously called Gamma International) much; business is good in the commercial spyware field. The firm has found buyers everywhere from Ethiopia to Turkmenistan, and a study by Citizen Lab from 2014 found at least 35 Command&Control (C&C) servers for the software around the world. The company got hacked in the fall of 2014, and company files and a complete version of its spyware were published online by Wikileaks.

A document detailing release notes for version 4.51 of FinSpy, dated April 2014, show a series of fixes made to the products including patched to ensure the rootkit component could avoid Microsoft Security Essentials, that the malware could record dual screen Windows setups, and improved siphoning of emails through Mozilla Thunderbird and Apple Mail.

Leaked documents obtained from Gamma Group in Germany show the biz charged one customer €1.4m for a copy of FinSpy, and €331,840 in fees for a year's worth of support. A variety of penetration-testing training services were also available at €27,000 a pop. And business is apparently still booming without any serious intervention by the UK and German governments.

You Only Click Twice: FinFisher’s Global Proliferation

It has been found on Windows, Apple, Android, Bluetooth devices, but I haven't seen any reports yet of it being ported to “pure” *nix. And while Androids are not “really linux”, they are very close. It probably wouldn't be too much trouble for someone to port it to *nix.

FinFisher campaigns are known to have used various infection mechanisms

  • Spearphishing
  • Manual installations with physical access to devices
  • 0-day exploits
  • Watering hole attacks – poisoning websites the targets are expected to visit (which was observed to serve a mobile version of FinFisher, for example).
  • Man-in-the-middle attack with the “man” in the middle most likely operating at the ISP level. (which was observed in two of the countries in which ESET systems detected the latest FinFisher spyware). When the user – the target of surveillance – is about to download one of several popular (and legitimate) applications, they are redirected to a version of that application infected with FinFisher. The applications that were observed to have been misused to spread FinFisher are WhatsApp, Skype, Avast, WinRAR, VLC Player and some others. It is important to note that virtually any application could be misused in this way.
  • Break WPA encryption and gain access to wireless networks.
  • Monitor activity on social network accounts and webmail.
  • Remote monitoring of activity on the victim's computer.
  • Discover hidden networks and gain access to Bluetooth devices.
  • Steal passwords and online account information.

You can use use ESET’s Free Online Scanner to check your computer for its presence and remove it if detected.

  • Last modified: 2019/12/20 15:40