Finisher, also known as FinFisher or FinSpy, is a surveillance software marketed by Lench IT Solutions plc, and they market the spyware to law enforcement channels and government agencies for investigations.
However, the company has been criticized by human rights organizations for selling these capabilities to repressive or non-democratic states known for monitoring and imprisoning political dissidents.
FinFisher malware is installed in a few different ways, which include fake software updates, emails with fake attachments, and security flaws in popular software.
The software is designed to evade detection by antivirus software and even has versions that work on most mobile phones.
FinSpy can spy on most popular desktop and mobile operating systems, including Android, iOS, Windows, macOS, and Linux.
Once a device is infected, it works as a spying tool that can control both webcam and microphone, to spy on communications and exfiltrate data stored on the infected systems.
FinSpy has made several headlines in recent years that is has been used by oppressive regimes to spy on dissidents, activists, and Journalists.
Since 2011 it was employed in attacks aimed at Human Rights Defenders (HRDs) in many countries, including Bahrain, Ethiopia, UAE, Egypt and more.
Because of this, Amnesty International’s Security Lab tracks FinSpy usage and development as part of their continuous monitoring of digital threats to Human Rights Defenders.
While human rights activist organization Amnesty International was researching on the activities of a hacking group tracked as NilePhish, which was involved in the attacks aimed at the Egyptian NGO’s, they discovered a new version of FinSpy.
“While continuing research into this group’s activity, we discovered it has distributed samples of FinSpy for Microsoft Windows through a fake Adobe Flash Player download website. Amnesty International has not documented human rights violations by NilePhish directly linked to FinFisher products.” reads the Amnesty’s report.
The binaries of this new version are difficult to understand and confusing.
The mobile version of the surveillance software in the first stage of the infection and it leverages the exploits to get root access.
If the exploits don’t work, the malicious code will ask the user to grant root permissions to launch the next stage installer.
Here is what researchers know about the infection chain for the FinSpy on Linux:
“The “PDF” file obtained from the server is a short script containing encoded binaries for Linux 32bit and 64bit. It extracts the binary for the relevant architecture in /tmp/udev2 and executes it. Like its Mac OS counterpart, FinSpy for Linux is also obfuscated using LLVM-Obfuscator.” continues the analysis. “The modules available in the Linux sample are almost identical to the MacOS sample. The binaries are stored encrypted and obfuscated too, with a slightly different format, the AES Initialization vector being stored within the core module binary instead of in the encrypted module files.”
Amnesty International shared all of the technical details about teh investigation, including IoC (Indicators of Compromise) so that you can determine if any of your devices have been compromised.