sb-nz logo
Story image

Global ISPs could be complicit in major spyware surveillance program

25 Sep 2017

Another variant of the notorious FinFisher spyware is suspected to be behind several surveillance campaigns against seven countries, and ISPs are said to be in on the game.

Researchers from ESET detected the new FinFisher variant, which is also known as FinSpy. The latest variant not only features technical improvements, but also use a previously unseen infection vector.

While ESET will not name the seven infected countries, in two cases researchers suspect that major internet providers have probably been involved in infecting the surveillance targets. In the other five cases, infections have spread via traditional methods.

Researchers further say that FinFisher is essentially spyware marketed as a law enforcement tool and sold to government agencies and oppressive regimes worldwide.

FinFisher infects its targets through a number of different methods, most notably ‘man-in-the-middle’ attacks, in which ISPs seem to be operating as the facilitators.

The company says it has evidence to back up those claims. WikiLeaks published leaked documents which showed that the creators behind FinFisher also made ‘FinFly ISP’, a solution that could give ISPs capability to conduct man-in-the-middle attacks.  The attacks are also similar across countries, suggesting that the same creator made all versions. All targets in different countries are also using the same ISP.

“Finally, the very same redirection method and format have been used for internet content filtering by internet service providers in at least one of the affected countries,” researchers state.

Traditional methods include spear phishing, manual installation, zero-days and compromising websites frequented by targets, otherwise known as watering hole attacks.

When surveillance targets try to download legitimate applications, the attack redirects them to an infected version of that application. So far researchers have spotted infected versions of Avast, Skype, VLC Player, WhatsApp and WinRAR, amongst others.

The attack facilitates download of the trojanised installation package which not only installs the application, but also the FinFisher spyware.

“The latest version of FinFisher has also received technical improvements, its authors putting even greater focus on stealth. The spyware uses custom code virtualization to protect the majority of its components, including the kernel-mode driver. In addition, the entire code is filled with anti-disassembly tricks. We found numerous anti-sandboxing, anti-debugging, anti-virtualisation and anti-emulation tricks in the spyware. All this makes the analysis more complicated,” ESET researcher Filip Kafka states in a blog.

Researchers also discovered an ironic connection: One of the FinFisher samples is titled ‘Threema’, which shares the name with a secure instant messaging app with end-to-end encryption.

“Ironically, getting tricked into downloading and running the infected file would result in the privacy-seeking user being spied upon. This special focus on users seeking encryption software is not limited solely to end-to-end communicators, apparently. During our research, we have also found an installation file of TrueCrypt – the once-very-popular disk encryption software – trojanised with FinFisher,” researchers state.

ESET products detect and block the threat as Win32/FinSpy.AA and Win32/FinSpy.AB.

Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
Sophos named mobile security Leader in IDC MarketScape
Sophos Intercept X for Mobile has capabilities in protecting Android, iOS and Chrome OS users from known and never before seen mobile threats.More
Story image
Report: 151% increase in DDoS attacks compared to 2019
It comes as the security risk profile for organisations around the world increased in large part thanks to the COVID-19 pandemic, forcing greater reliance on cloud technology and thrusting digital laggards into quick and unsecured migrations.More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
Video: 10 Minute IT Jams - Who is CrowdStrike?
Today, Techday speaks to CrowdStrike ANZ channel director Luke Francis about the company's key products and offerings, its upcoming annual security conference, and the infrastructure it leverages in the A/NZ region.More