FinFisher is an infamous spyware known also known as “FinSpy”. The technology has been sold to governments in the past as well as other agencies internationally. The spyware can filter live video through webcams, audio through microphones, and it can even perform keylogging and other file logging techniques. Many believe Finfisher is used by oppressive regimes and some cases police forces. However, now, it looks like FinFisher might be implemented at an ISP level.
So how does FinFisher get on computers? Well, there are various “infection” methods like spear phishing (email scams), manual installations via physical access, 0-day exploits (software bugs unknown to vendor), and watering hole attacks (hacker finds services/websites specific target group uses and infected with malware).
While all FinFisher infection methods are concerning, the most alarming method is via man-in-the-middle attacks. The “man” in the middle in this case could be internet service providers. This method has been observed in two of the known infected FinFisher countries, by ESET–a well respected IT company specializing in anti-virus and firewall products (the other 5 use traditional infection methods as listed above).
How does FinFisher Work Through MITM Attacks?
The way it works is extremely powerful and invasive. One example could be that a user logs into their computer, opens up a browser, tries to download a file, only to be redirected to another program which they then download.
The redirection is achieved by delivering a link to the browser via an HTTP 307 temporary redirect indicating that content has been moved to a new URL, however the entire process appears invisible to the user’s eye. The redirection in this case, being operated from the host computer’s source of internet from the supposedly involved internet service providers. The file, if downloaded, is a trojanized installation package hosted by the ISP.
The file not only installs the app meant to be downloaded, but also the malicious files which makes it hard to detect for the end user. This would require no other form of infection methods, which makes this method able to mislead and catch even the most computer savvy individuals.
Applications that are being used to spread FinFisher are alarming. They include widely used apps like WhatsApp, Skype, Avast, WinRAR, VLC Player and others. However, it’s important to note that almost any application can be used as a vessel for FinFisher if directed by a man-in-the-middle-attack from the ISP at hand.
Not only is the man-in-the-middle-attack perfect for spreading FinFisher spyware, but the technology behind it has also improved making it decidedly more stealthy. The spyware uses custom code virtualization to protect components, and it’s filled with code to prevent anti-disassembly. The code is rift with numerous anti-sandboxing, anti-debugging, anti-virtualization and anti-emulation tricks as well.
The recent campaigns to spread FinFisher seem to be focused on finding users who are using encryption and privacy techniques. Apps like Threema that provide end-to-end encrypted messaging, or apps like TrueCrypt (used to encrypt disks) have been trojanized with FinFisher.
How is the Malware Spreading So Fast and Wide?
Due to how high the MITM attack is happening, and the volume as well as the geographical spread of the malware, ESET suspects that only an ISP could be spreading the malware so quickly and effectively. There are also other indicators that make ISPs to be the “man” inside MITM attacks likely.
First, as revealed by WikiLeaks, the creator of FinFisher has in the past offered a solution to infection methods as “FinFly ISP” which matches the capabilities required for MITM attacks that ESET is seeing.
Second, the infection method through HTTP 307 redirects is happening in both of the two countries, which means that it was developed or provided from the same source.
Lastly, the affected targets are all using the same ISP, and in at least one of the countries the same HTTP 307 redirect method has been used in the past for internet content filtering. Security professionals found FinFisher variations present in seven countries, although they declined to reveal which ones.
Until now, the deployment of the FinFly ISP has never been detected or revealed. If these methods and agents are confirmed, it reveals a new precedent for how stealthy and invasive surveillance can be with an unprecedented level of reach and infiltration.
How to Defeat FinFisher MITM?
ESET lets customers detect the threat as Win32/FinSpy.AA and Win32/FinSpy.AB to delete it. However, we also recommend using TorGuard VPN since TorGuard tunnels all of one’s data through an encrypted tunnel, protecting the user from MITM attacks by an Internet Service Provider.