Select Page

Commercially developed FinFisher surveillanceware has been upgraded to infect Windows devices using a UEFI (Unified Extensible Firmware Interface) bootkit that leverages a trojanized Windows Boot Manager, marking a shift in infection vectors that allow it to elude discovery and analysis.

Detected in the wild since 2011, FinFisher (aka FinSpy or Wingbird) is a spyware toolset for Windows, macOS, and Linux developed by Anglo-German firm Gamma International and supplied exclusively to law enforcement and intelligence agencies. But like with NSO Group’s Pegasus, the software has also been used to spy on Bahraini activists in the past allegedly and delivered as part of spear-phishing campaigns in September 2017.

FinFisher is equipped to harvest user credentials, file listings, sensitive documents, record keystrokes, siphon email messages from Thunderbird, Outlook, Apple Mail, and Icedove, intercept Skype contacts, chats, calls and transferred files, and capture audio and video by gaining access to a machine’s microphone and webcam.

While the tool was previously deployed through tampered installers of legitimate applications such as TeamViewer, VLC, and WinRAR that were backdoored with an obfuscated downloader, subsequent updates in 2014 enabled infections via Master Boot Record (MBR) bootkits with the goal of injecting a malicious loader in a manner that’s engineered to slip past security tools.

The latest feature to be added is the ability to deploy a UEFI bootkit to load FinSpy, with new samples exhibiting properties that replaced the Windows UEFI boot loader with a malicious variant as well as boasting of four layers of obfuscation and other detection-evasion methods to slow down reverse engineering and analysis.

“This way of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks,” Kaspersky’s Global Research and Analysis Team (GReAT) said in a technical deep dive following an eight-month-long investigation. “UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence.”

images from Hacker News