Current FinFisher surveillance attacks: Are internet providers involved?

Current FinFisher surveillance attacks: Are internet providers involved?

Security has found that legitimate downloads of several favorite applications/Software including WhatsApp, Skype, VLC Player and WinRAR have reportedly been compromised at the ISP level to share the infamous FinFisher spyware also known as FinSpy.

FinSpy is a highly unknown inspection tool that has previously been connected with British company Gamma Group, a company that professionally sells surveillance and spying software to government agencies over in the world.

Digital surveillance tools are sold by a global firm called Gamma Group and have in the past been sold to oppressive regimes including Bahrain, Egypt and the United Arab Emirates (UAE).

 And In March this year, the company served a security discussion sponsored by the UK Home Office.

This Month (21 September 2017), specialists from cybersecurity firm Eset required that new FinFisher variants had been discovered in seven countries, two of which were being targeted by "man in the middle" (MitM) attacks at an ISP level – packaging genuine downloads with spyware.

Organizations being hit included (WhatsApp, Skype, Avast, VLC Player and WinRAR) it said, attaching that "virtually any application could be misused in this way."

During a sufferer of the inspection was downloading the software, they would be silently redirected to a version infected with FinFisher, the research found.

During download, the software would install as regular – but Eset found it would also be covertly bundled with the surveillance tool.

The secret virus process was reported as being "invisible to the naked eye."

And A Microsoft spokesperson, referencing the assumed Skype infections, told IBTimes UK: "We're aware of the vendor blog and are evaluating claims." or Avast spokesperson said: "Attackers will always focus on the most prominent targets. Wrapping approved installers of legal apps with malware is not a new concept and we aren't surprised to see the PC apps mentioned in this report. "What's new is that this seems to be happening at a higher level. "We don't know if the ISPs are in cooperation with the malware distributors or whether the ISPs' infrastructure has been hijacked."

The newest version of FinFisher was spotted with new customised code which kept it from being discovered, what Eset described as "tactical improvements." Some tricks, it added, were aimed at compromising end-to-end (E2E) encryption software and known privacy tools. One such application was Threema, a secure messaging service. "The geographical dispersion of Eset's detections of FinFisher variants suggests the MitM attack is happening at a higher level – an ISP arises as the most probable option," the team said. 

"One of the main implications of the discovery is that they decided to use the most effective infection method and that it actually isn't hard to implement from a technical perspective," FilipKafka, a malware researcher at Eset, told IBTimes UK. "Since we see have seen more infections than in the past surveillance campaigns, it seems that FinFisher is now more widely utilized in the monitoring of citizens in the affected countries."

Here's How the Attack Works:

During the destination users search for one of the affected applications on legitimate websites and click on its download link, their browser is served a modified URL, which redirects victims to a trojanized installation package hosted on the attacker's server.

The issues in the installation of a version of the intended legitimate application bundled with the surveillance tool.

"The redirection is achieved by the legitimate download link being replaced by a malicious one," the researchers say. "The malicious link is delivered to the user’s browser via an HTTP 307 Temporary Redirect status response code indicating that the requested content has been temporarily moved to a new URL."

And the intact redirection rule, according to researchers, is "invisible to the naked eye" and occurs without user's knowledge.

FinFisher Appropriating a Whole Lot of New Tricks

That extra tricks employed by the latest version of FinFisher kept it from being spotted by the researchers.

Maybe Some researchers also note that the advanced version of FinFisher received several technological improvements in terms of stealthiness, including the use of custom code virtualization to protect the majority of its parts like the kernel-mode driver.

It additionally presents control of anti-disassembly tricks, and numerous anti-sandboxing, anti-debugging, anti-virtualization and anti-emulation tricks, aiming at compromising end-to-end encryption software and known privacy tools.

 then guarded messaging application, called Threema, was discovered by the researchers while they were analyzing the recent campaigns.

"FinFisher spyware masqueraded as an executable file named "Threema." Such a file could be used to target privacy-concerned users, as the legitimate Threema application provides secure instant messaging with end-to-end encryption," the researchers say. 

"Ironically, getting tricked into downloading and running the infected file would result in the privacy-seeking user being spied upon." 

Gamma Group has not yet replied to the ESET report.