1. Home
  2. Software
  3. FinFisher

FinFisher

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]

ID: S0182
Associated Software: FinSpy
Type: MALWARE
Platforms: Windows, Android
Version: 1.4
Created: 16 January 2018
Last Modified: 12 September 2024

Associated Software Descriptions

Name Description
FinSpy

[3] [4]
Enterprise Layer
download view
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[1][5]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

FinFisher creates a new Windows service with the malicious executable for persistence.[1][5]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

A FinFisher variant uses DLL search order hijacking.[1][4]
.002 劫持执行流: DLL Side-Loading

FinFisher uses DLL side-loading to load malicious programs.[1][5]
.013 劫持执行流: KernelCallbackTable

FinFisher has used the KernelCallbackTable to hijack the execution flow of a process by replacing the __fnDWORD function with the address of a created Asynchronous Procedure Call stub routine.[6]
Enterprise T1140 反混淆/解码文件或信息

FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[1][5]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

FinFisher establishes persistence by creating the Registry key HKCU\Software\Microsoft\Windows\Run.[1][5]
Enterprise T1113 屏幕捕获

FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.[1][5]
Enterprise T1083 文件和目录发现

FinFisher enumerates directories and scans for certain files.[1][5]
Enterprise T1012 查询注册表

FinFisher queries Registry values as part of its anti-sandbox checks.[1][5]
Enterprise T1027 混淆文件或信息

FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[1][5]
.001 Binary Padding

FinFisher contains junk code in its functions in an effort to confuse disassembly programs.[1][5]
.002 Software Packing

A FinFisher variant uses a custom packer.[1][4]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

FinFisher performs UAC bypass.[1][5]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

FinFisher clears the system event logs using OpenEventLog/ClearEventLog APIs .[1][5]
Enterprise T1082 系统信息发现

FinFisher checks if the victim OS is 32 or 64-bit.[1][5]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.[5]
Enterprise T1134 .001 访问令牌操控: Token Impersonation/Theft

FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[1][5]
Enterprise T1518 .001 软件发现: Security Software Discovery

FinFisher probes the system to check for antimalware processes.[1][4]
Enterprise T1056 .004 输入捕获: Credential API Hooking

FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.[1][7]
Enterprise T1057 进程发现

FinFisher checks its parent process for indications that it is running in a sandbox setup.[1][5]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.[1][5]
Enterprise T1542 .003 预操作系统引导: Bootkit

Some FinFisher variants incorporate an MBR rootkit.[1][5]
Mobile T1429 Audio Capture

FinFisher uses the device microphone to record phone conversations.[8]
Mobile T1404 Exploitation for Privilege Escalation

FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.[8]
Mobile T1430 Location Tracking

FinFisher tracks the latitude and longitude coordinates of the infected device.[8]
Mobile T1636 .002 Protected User Data: Call Log

FinFisher accesses and exfiltrates the call log.[8]
.004 Protected User Data: SMS Messages

FinFisher captures and exfiltrates SMS messages.[8]

Groups That Use This Software

ID Name References
G0070 Dark Caracal

[8]

References

  1. FinFisher. (n.d.). Retrieved September 12, 2024.
  2. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  3. Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.
  4. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  1. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  2. Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.
  3. Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
  4. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.