Site icon News Azi

FinSpy surveillance malware is now spreading through UEFI bootkits | ZDNet

The nefarious FinSpy spyware has now been upgraded for deployment within UEFI bootkits.

FinSpy, also known as FinFisher/Wingbird, is surveillanceware that has been detected in the wild since 2011. The software’s Windows desktop-based implants were detected in 2011, and mobile implants were discovered a year later. 

In 2019, Kasperksy researchers found new, upgraded Android and iOS samples, as well as signs of ongoing infections in Myanmar. The Indonesian government was also connected to the spyware’s use. 

At Kaspersky’s Security Analyst Summit (SAS) on Tuesday, researchers Igor Kuznetsov and Georgy Kucherin said that detection rates for Windows FinSpy implants have declined steadily over the past three years. However, the software has now been upgraded with new PC infection vectors. 

According to Kaspersky, the malware has moved on from deployment purely through Trojanized installers — normally bundled with legitimate applications — including TeamViewer, VLC, and WinRAR. In 2014, its developers added Master Boot Record (MBR) bootkits, which aim to ensure malicious code is loaded at the earliest possible opportunity on an infected machine. 

The researchers say that now, Unified Extensible Firmware Interface (UEFI) bootkits have also been added to FinSpy’s arsenal. 

The malware will, however, check for the presence of a virtual machine (VM), and if found, only shellcode is delivered, likely in an attempt to avoid reverse engineering attempts. 

UEFI systems are critical to computer systems as they have a hand in loading operating systems. FinSpy is not the only malware to target this machine element, with LoJax and MosaicRegressor also being prime examples. 

Kucherin did say, however, that the FinSpy bootkit was “not the average we normally see” and all that was necessary to install it was administrator rights. 

A sample of a UEFI bootkit that loaded FinSpy provided the team with clues to its functionality. The Windows Boot Manager (bootmgfw.efi) was replaced with a malicious variant, and once loaded, two encrypted files were also triggered, a Winlogon Injector and the Trojan’s main loader. 

FinSpy’s payload is encrypted, and once a user logs on, the loader is injected into winlogon.exe, leading to the decryption and extraction of the Trojan.

If a target machine is too old to support UEFI, this does not mean it is safe from infection. Instead, FinSpy will target the system via the MBR. It is possible for the malware to strike 32-bit machines.

The spyware is capable of capturing and exfiltrating a wide variety of data from an infected PC, including locally stored media, OS information, browser and virtual private network (VPN) credentials, Microsoft product keys, search history, Wi-Fi passwords, SSL keys, Skype recordings, and more.

On mobile, FinSpy will target contact lists, SMS messages, files in memory, email content, and GPS location coordinates. In addition, the malware can monitor Voice over IP (VoIP) communication and is able to rifle through content exchanged via apps including Facebook Messenger, Signal, Skype, WhatsApp, and WeChat.  

The macOS version of FinSpy contains only one installer — and the same applies to the Linux version. However, in the latter case, the infection vector used to deliver FinSpy is currently unknown, although it is suspected that physical access may be required.  

The latest investigation into FinSpy took eight months. According to Kuznetsov, it is likely the operators “will keep upgrading their infrastructure all of the time” in what will be a “never-ending story.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – admin@newsazi.com. The content will be deleted within 24 hours.
Exit mobile version