Global cybersecurity company Kaspersky has conducted a comprehensive investigation on the recent updates about the FinSpy spyware attacking common operating systems, particularly Windows, Mac, and Linux. The findings suggest a high emphasis on defense evasion, making FinFisher one of the hardest-to-detect spywares to date.
FinFisher, also known as FinSpy or Wingbird, is a surveillance tool, which Kaspersky has been tracking since 2011. It is capable of gathering various credentials, file listings, and deleted files, as well as live streaming or recording data and gaining access to a webcam and microphone.
Its Windows implants were detected and researched several times up to 2018 when FinFisher appeared to have gone under the radar.
After that, Kaspersky detected from its users a series of suspicious installers of legitimate applications—such as TeamViewer, VLC Media Player, and WinRAR—that contained malicious code that could not be connected to any known malware.
That is until one day, they discovered a website in Burmese that contained the infected installers and samples of FinFisher for Android, helping to identify they were Trojanized with the same spyware. This discovery pushed Kaspersky researchers to investigate FinFisher further.
Unlike previous versions of the spyware, which contained the Trojan in the infected application right away, new samples were protected by two components: non-persistent Pre-validator and a Post-Validator.
The first component runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher. Once it confirms that the infected victim is the intended one, the server then commands deployment of the full-fledged Trojan platform.
The researchers also discovered a sample of FinFisher that replaced the Windows UEFI bootloader. This way of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks.
To protect yourself from such threats as FinFisher, Kaspersky recommends to:
- Download your apps and programs from trusted websites.
- Don’t forget to update your operating system and all software regularly. Many safety issues can be solved by installing updated versions of software.
- Distrust e-mail attachments by default. Before clicking to open an attachment or follow a link, consider carefully: Is it from someone you know and trust? Is it expected? Is it clean? Hover over links and attachments to see what they’re named or where they really go.
- Avoid installing software from unknown sources. It may and often does contain malicious files.
- Use a strong security solution on all computers and mobile devices, such as Kaspersky Internet Security for Android or Kaspersky Total Security.
For organizations’ protection, Kaspersky suggests the following:
- Set up a policy for non-corporate software use. Educate your employees about the risks of downloading unauthorized applications from untrusted sources.
- Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
- Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation and timely remediation of incidents capabilities. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.
- Along with proper endpoint protection, dedicated services can help against high-profile attacks. Kaspersky Managed Detection and Response service can help identify and stop attacks in their early stages, before the attackers achieve their goals.