Spyware in the Real World (Finfisher)

In this video we’re going to talk about FinFisher, or FinSpy as it’s known. So FinFisher is a major spyware that has extensive capabilities, including webcam/microphone hijacking. What’s really interesting about it, and this is maybe the scariest part about it, is that it’s created by a company known as Lench IT, and the company is out of Europe. And the software is sold to government agencies, intelligence agencies, and law enforcement agencies. And a lot of times, historically it’s been discovered, it’s been sold to repressive regimes out of the Middle East, South America, and parts of Asia, and it’s been used to spy on political dissidents and anyone else who would be kind of an enemy of the state.

So Lench IT, which is a subsidiary of Gamma Corporation, was actually labelled by Journalists Without Borders as a sort of digital mercenary organization and one of the top five threats to the internet from a corporate standpoint. So when we talked about those APTs, again, remember we mentioned that there were these, you don’t hear about it, but there’s this almost entire other world where there is an entire corporation that makes and sells malicious software to be used against people of various countries.

And because of it, because there’s so many, there’s probably a lot of money that it’s being sold for and a lot of money that these companies get out of it, so it’s got a lot of capabilities that are constantly evolving. So it’s a big thing in its ability to hide itself and go undetected. And an incredibly complex piece of software. And because of that, because of the way it’s acquired and the way it’s kind of managed, I actually don’t have a sample of it that I can show you. But what I can show you is if we look for just FinSpy within VirusTotal, we get some interesting results. OK.

So we looked for FinSpy within VirusTotal, and one of the things that we get is this hash. This is a sample hash. And you can see here, we see FinSpy. A lot of different scanners have detected it. One of the things that’s interesting, especially when you kind of roll back and you look at some of the other viruses that we looked at, like BEAST or something like that, those viruses, those pieces of malware, had significantly more detections than this one does. This has got 27 out of 63 engines were able to detect it. Some of the others we looked at were nearly 63 out of 63. I think maybe 61 out of 63.

This is less than half are able to detect it. The other thing about this one is you’ll notice it’s an APK, and that APK, so that means it’s actually Android. This is a mobile app that this thing was being downloaded bundled with again. We talked about bundling now a couple times. And again, this was used a lot of times, bundle attacks. The APK itself is this funny voice changer APK. So if you got that, you should be wary. See if they have anything in here for behaviour. Here’s some of the HTTP requests and the DNS resolution. So if we wanted to, we could kind of take these here and start digging into them.

We can see where these IPs were, where they’re going to, and try and get some attribution out of it. You can see the files it opens. And this is just in this case. This specific piece of malware is constantly changing, and it’s still out there. It’s still very, very, very much active. You can see the last analysis on it was done not that long ago. It’s still very active, it’s still a big problem.

And yeah, just again, I think the big takeaway for me and hopefully for you here is that this is something that’s created, paid for, and maintained by full scale corporations and governments who use it to spy on individual citizens and people, basically anybody the government deems is a threat. With it, once they have it on a system, they can listen to your calls. They can record your typing. There was an incident where a person inside of the United States had discovered that he was being spied on by Ethiopian government. And so it would happen to be FinFisher in that case. The Ethiopian government was listening to his Skype calls while he was in the United States.

So just something to keep in your mind on the scale of some of these things at times. In our next video, we’re going to be talking about file-less malware, and that’s malware that sneaks into your running application. And we’re going to talk a little bit about what that means.