FinSpy spyware comes out stronger: spreading through UEFI bootkits

The malware appears to be capable of stealing anything including credentials, documents, email messages, capture audio

Previously known FinSpy uses UEFI bootkits

The version of information-stealer and spying malware with new features got released. Kaspersky researchers presented new information about FinSpy spyware. At the Security Analyst Summit (SAS) 2021, experts shared the results of a deep-dive investigation into several recent updates on FinSpy spyware for Windows, Mac OS, Linux, and its installers.^[1] The whole research took eight months to complete and helped to discover four-layer obfuscation and advanced anti-analysis measures.

Spyware's developers used these measures as well UEFI bootkit to infect a huge number of people. UEFI systems are critical to computers as they have a hand in loading operating systems. If the computer is too old to support UEFI, this does not mean it is safe from infection. In this case, FinSpy will target the system via the MBR. Up to 32-bit machines could be striked.^[2]

FinSpy is sometimes named FinFisher or Wingbird. It is a program used for spying that was first detected back in 2011. It was under research for years and now it is believed that spyware is extremely hard to detect. Detections of the spyware trojan have dwindled down since 2018. Apparently, it hasn’t gone away completely and has been hiding behind various first-stage implants.

Hard to detect but capable of causing chaos

The spyware is especially threatening now as it is so difficult to detect. If the device is hit, the spyware can capture and exfiltrate a wide variety of data. Locally stored media, OS information, browser, and even virtual private network could become a subject of the attack. Credentials, like product keys information, search history, Wi-Fi passwords, Skype recordings are at risk too.

With recent advancements, risks are getting even more dangerous. Kaspersky experts found out that there is a unique plugin that exploits the debug function of modern browsers. A particular environment is set as a variable. In that way, browsers dump all the SSL encryption keys on the disk. Attackers then could decrypt all the SSL traffic.^[3] Such findings don't stay in one hand for long.

Even if the information is collected in real-time, it could be live-streamed to hundreds of other attackers or even be pre-recorded. Even bigger data collection procedures could be triggered by launching an application of interest. It looks like spyware creators put a lot of effort to remain threatening and undetected. Each time it goes under the radar, development processes continue.

FinSpy is working worldwide

A few years back FinSpy was tied to phishing attacks in several different countries. Egyptian human rights defenders and media were hit. Attacks were carried by a group known as “NilePhish”. Activists, journalists, and dissidents documented various threatening actions in many other countries too, including Bahrain, Ethiopia, UAE.^[4] Such findings cause a global concern.

On a general level, spyware can be used to take someone's personal information or even identity. Information gathered by spyware can even be sold by the spyware creator to third parties, like totalitarian regimes.^[5] The most concerning part is that users have no control over what the spyware monitors or where the information goes. As it is seen in the FinSpy case, some actions could be very sneaky and hard to detect.