FinSpy surveillance malware is now spreading through UEFI bootkits

The spyware had previously been associated with malicious installers and MBR bootkits.

The nefarious FinSpy spyware has now been upgraded for deployment within UEFI bootkits.

FinSpy, also known as FinFisher/Wingbird, is surveillanceware that has been detected in the wild since 2011. The software's Windows desktop-based implants were detected in 2011, and mobile implants were discovered a year later. 

In 2019, Kasperksy researchers found new, upgraded Android and iOS samples, as well as signs of ongoing infections in Myanmar. The Indonesian government was also connected to the spyware's use. 

At Kaspersky's Security Analyst Summit (SAS) on Tuesday, researchers Igor Kuznetsov and Georgy Kucherin said that detection rates for Windows FinSpy implants have declined steadily over the past three years. However, the software has now been upgraded with new PC infection vectors. 

According to Kaspersky, the malware has moved on from deployment purely through Trojanized installers -- normally bundled with legitimate applications -- including TeamViewer, VLC, and WinRAR. In 2014, its developers added Master Boot Record (MBR) bootkits, which aim to ensure malicious code is loaded at the earliest possible opportunity on an infected machine. 

The researchers say that now, Unified Extensible Firmware Interface (UEFI) bootkits have also been added to FinSpy's arsenal. 

The malware will, however, check for the presence of a virtual machine (VM), and if found, only shellcode is delivered, likely in an attempt to avoid reverse engineering attempts. 

UEFI systems are critical to computer systems as they have a hand in loading operating systems. FinSpy is not the only malware to target this machine element, with LoJax and MosaicRegressor also being prime examples

Kucherin did say, however, that the FinSpy bootkit was "not the average we normally see" and all that was necessary to install it was administrator rights. 

A sample of a UEFI bootkit that loaded FinSpy provided the team with clues to its functionality. The Windows Boot Manager (bootmgfw.efi) was replaced with a malicious variant, and once loaded, two encrypted files were also triggered, a Winlogon Injector and the Trojan's main loader. 

FinSpy's payload is encrypted, and once a user logs on, the loader is injected into winlogon.exe, leading to the decryption and extraction of the Trojan.

If a target machine is too old to support UEFI, this does not mean it is safe from infection. Instead, FinSpy will target the system via the MBR. It is possible for the malware to strike 32-bit machines.

The spyware is capable of capturing and exfiltrating a wide variety of data from an infected PC, including locally stored media, OS information, browser and virtual private network (VPN) credentials, Microsoft product keys, search history, Wi-Fi passwords, SSL keys, Skype recordings, and more.

On mobile, FinSpy will target contact lists, SMS messages, files in memory, email content, and GPS location coordinates. In addition, the malware can monitor Voice over IP (VoIP) communication and is able to rifle through content exchanged via apps including Facebook Messenger, Signal, Skype, WhatsApp, and WeChat.  

The macOS version of FinSpy contains only one installer -- and the same applies to the Linux version. However, in the latter case, the infection vector used to deliver FinSpy is currently unknown, although it is suspected that physical access may be required.  

The latest investigation into FinSpy took eight months. According to Kuznetsov, it is likely the operators "will keep upgrading their infrastructure all of the time" in what will be a "never-ending story."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0