FinSpy monitoring malware now spreads via UEFI bootkits
The infamous FinSpy spyware has now been upgraded for deployment in UEFI Starter Kits.
FinSpy, also known as FinFisher / Wingbird, has been monitoring software detected in the wild since 2011. Windows desktop implants in the software were detected in 2011, and mobile implants were discovered a year later.
In 2019, Kasperksy researchers found new upgraded Android and iOS samples, as well as signs of ongoing infections in Myanmar. The Indonesian government was also linked with the use of the spyware.
At Kaspersky’s Security Analyst Summit (SAS) on Tuesday, researchers Igor Kuznetsov and Georgy Kucherin said detection rates for Windows FinSpy implants have steadily declined over the past three years. However, the software has now been upgraded with new infection vectors for PC.
According to Kaspersky, the malware has gone from being deployed purely through Trojan installers – normally bundled with legitimate applications – including TeamViewer, VLC, and WinRAR. In 2014, its developers added Master Boot Record (MBR) Starter Kits, which aim to ensure that malicious code is loaded as soon as possible on an infected machine.
Researchers say that now Unified Extensible Firmware Interface (UEFI) starter kits have also been added to FinSpy’s arsenal.
The malware will however check for the presence of a virtual machine (VM), and if found, only the shellcode is provided, possibly in an attempt to avoid reverse engineering attempts.
UEFI systems are essential to computer systems because they help load operating systems. FinSpy is not the only malware targeting this machine element, LoJax and MosaicRegressor being good examples as well.
Kucherin, however, said that the FinSpy bootkit was “not the average that we normally see” and that all that was needed to install it was administrator rights.
A sample of a UEFI bootkit that loaded FinSpy gave the team some clues about its functionality. The Windows Boot Manager (bootmgfw.efi) was replaced with a malicious variant, and when loaded, two encrypted files were also triggered, a Winlogon injector and the main loader of the Trojan.
FinSpy’s payload is encrypted, and once a user logs in, the loader is injected into winlogon.exe, leading to the decryption and extraction of the Trojan.
If a target machine is too old to support UEFI, that doesn’t mean it is safe from infection. Instead, FinSpy will target the system through the MBR. It is possible that the malware hits 32-bit machines.
Spyware is capable of capturing and exfiltrating a wide variety of data from infected PC including locally stored media, operating system information, browser credentials and private network virtual (VPN), Microsoft product keys, search history, Wi-Fi passwords, SSL keys, Skype registrations, etc.
On mobile, FinSpy will target contact lists, SMS messages, files in memory, email content and GPS location coordinates. Additionally, the malware can monitor Voice over IP (VoIP) communication and is able to browse content exchanged through applications such as Facebook Messenger, Signal, Skype, WhatsApp and WeChat.
The macOS version of FinSpy only comes with one installer – and the same goes for the Linux version. However, in the latter case, the infection vector used to deliver FinSpy is currently unknown, although it is suspected that physical access may be required.
The last investigation into FinSpy lasted eight months. According to Kuznetsov, it is likely that operators “will continue to upgrade their infrastructure all the time” in what will be a “never-ending story”.
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0