ESET spots new FinFisher campaign

Security software provider ESET has spotted a new FinFisher spyware campaign. The software, also known as FinSpy is surveillance software allegedly only sold to law enforcement and governments.  According to the blog on the ESET website, FinFisher has been spotted in seven countries. In the interest of security, ESET has chosen not to publicly name those countries.

How does FinFisher work?

FinFisher is a very adaptable piece of software. It has previously been deployed using a number of different mechanisms. Among those are 0-day exploits that had not been disclosed to software vendors. It has also used spear phishing, watering-hole attacks and now man-in-the-middle attacks.

ESET has seen the latter being used in two of the seven countries. Filip Kafka, ESET says: “When the user – the target of surveillance –  is about to download one of several popular (and legitimate) applications, they are redirected to a version of that application infected with FinFisher.”

Kafka has listed a number of applications that ESET has spotted being used in attacks. It includes:

  • WhatsApp
  • Skype
  • Avast
  • WinRAR
  • VLC Player

How is the infection carried out?

The user searches for any of the target applications on legitimate websites. Most users will see this as safe behaviour. When they click on the download link the request is intercepted and they are redirected to an install package with a Trojan. This is downloaded by using the HTTP 307 Temporary Redirect mechanism. As this occurs in the Internet the user doesn’t see it. What they see is a package that appears to come from the vendors website. What they get is a modified installer from the attacker.

During the install, the user gets the latest version of the application. They also get an unexpected and unwanted extra, the FinFisher spyware.

A complex spyware programme designed to evade analysis and detection

ESET reports that the latest version of FinFisher has had some significant improvements. These are all designed to make it much harder to detect. This is a move that makes sense. It has also gained a significant number of techniques that are designed to prevent analysis of its code.

The complexity of those measures means that ESET has not yet published a detailed technical analysis of the code. It is promising to do that in a whitepaper at a later date.

One very important new development is an executable called Threema. ESET claims that it is aimed at those users worried about privacy and interception. Threema is a secure instant messaging solution with its own encryption. It is believed that this version would be used to replace the legitimate app allowing messaging to be viewed by the attacker.

Are ISPs cooperating with these attacks?

In its analysis of the attack vectors, ESET believes there is enough evidence to point to ISP collusion. One of the pieces of data that help substantiate that is a WikiLeaks document. This document desribes a product called FinFly ISP and appears to be a product sales document from Lench IT Solutions. It outlines a tool that ISPs could install to help law enforcement and intelligence teams to target users.

There is other evidence that points to ISP involvement. ESET says that all the affected users in each country use a single ISP.  In addition, the way the redirect techniques have been implemented is identical in all seven countries.

What does this mean

It should come as no surprise that there has been an increase in the amount of high level surveillance software in circulation. Western governments are deploying all the tools they can to deal with anti-terrorism. After last weeks attack in the UK it would be a surprise if the UK was not one of those countries where FinFisher was spotted.

If ESET is correct about the involvement of ISPs then it raises the stakes considerably. By not naming the countries it is difficult to know if the ISPs were willing or coerced. If this is the case and ISPs in Europe, North America or some Asia Pacific countries are involved, this could result in some significant fallout.

US companies that collaborate with the NSA spy programme lost billions of dollars when their involvement was revealed. Since then, technology companies have worked hard to reassure users that they are resisting government spying. Being exposed as taking part in this type of programme could cause a significant loss of customers that could threaten the business. It would also bring a number of lawsuits especially in Europe given the strength of privacy laws.

This is yet another example of how easy it is for a state sponsored attacker to spy on users. Private security companies are not only providing tools but also designing attack vectors including the hoarding of 0-day attacks. Despite governments complaining about the use of encryption, they are already in possession of tools that allow them alternative ways of intercepting messages.


Please enter your comment!
Please enter your name here