Microsoft says it has cracked open the notorious FinFisher government spyware to design new ways to detect it and protect Windows and Office users.
FinFisher is sold to law-enforcement agencies around the world and its maker, European firm Gamma Group, has been criticized for selling it to repressive regimes.
Last year, researchers at FireEye discovered FinFisher being distributed in Word documents loaded with an attack for an Office zero-day targeting Russian-speaking victims.
In some countries ISPs have also assisted FinFisher rollouts by redirecting targets to an attack site when they attempt to install popular apps.
Malware researchers at ESET have found it difficult to analyze recent versions of FinFisher due to techniques it uses to prevent sandboxing, debugging, and emulation.
Microsoft's threat researchers say FinFisher's level of anti-analysis protection puts it in a "different category of malware" and reveals the lengths its makers went to ensuring it remains hidden and hard to analyze.
But after Microsoft's reverse-engineering managed to unravel the malware, the company argues that Office 365 Advanced Threat Protection (ATP) is now more resistant to sandbox detection, while Windows Defender Advanced Threat Protection (ATP) anti-malware has improved detections for it.
The Office 365 protection features a "detonation sandbox" for analyzing malware in malicious attachments. However, the first thing FinFisher checks for after dropping malicious code on a system is whether it's running in a sandbox.
Microsoft analysts found that FinFisher's initial loader could "easily detect both VMWare and Hyper-V environments through the detection of the virtualized peripherals".
The researchers note that Office 365 ATP sandbox now has "special mechanisms" to avoid detection by these types of checks.
Windows Defender ATP now also is capable of detecting different attack techniques used by FinFisher, such as memory injection.
In all, Microsoft's analysts peeled back six layers that protect each stage of infection and serve to shield the core spyware from analysis. This defenses included multiple custom virtual machines that made analysis with regular tools "practically impossible", and so-called 'spaghetti code' to trip up analyst tools.
The company has now published a list of dozens of FinFisher VM "opcode handlers" or instructions for various features the malware may execute.
A stage 3 installer takes "DLL side-loading to a new level" and has different installation methods for a UAC-enforced environment and a system with full administrative privileges.
Microsoft's researcher say they were "a bit disappointed" not to find a privilege escalation exploit after clearing away FinFisher's attempt at concealing itself.
Microsoft found the spyware itself is modular with various plugins that can be loaded from a resource section. One sample it analyzed had a plugin for spying on internet connections, diverting SSL connections and stealing data from encrypted traffic.
Previous and related coverage
The malware, often used by nation states, exploits a flaw in Office, and it's known to have targeted Russians.
ISPs in a number of countries are under suspicion for distributing the malware to government targets.
Spyware sold to governments around the world has allegedly been found in a Sydney datacentre, with initial reports claiming its origin is Indonesia.
Which governments are allegedly using FinFisher for surveillance purposes across the globe?
The NSW Police and Singapore's PCS Security Pte Ltd have been named as buyers of FinFischer malware, along with the intelligence arms of the Hungarian, Italian, and Bosnian governments.
The maker of secretive FinFisher spyware -- sold exclusively to governments and police agencies -- has been hacked, revealing its clients, prices and its effectiveness across an unbelievable span of apps, operating systems and more.