Researchers claim FinFisher scalp with RAT analysis

Researchers believe they have analysed FinSpy, part of the FinFisher cyber-espionage suite, which was sent to Bahraini activists this year
Written by Tom Espiner, Contributor

Researchers believe they have analysed part of Finfisher, a commercially-available cyber-espionage suite, for the first time.

Having analysed several pieces of malware sent to Bahrani pro-democracy activists and obtained by Bloomberg News, researchers from the University of Toronto Munk School of Global Affairs' Citizen Lab believe they have identified one part of the suite made by Gamma International.

FinSpy, Finfisher's Remote Access Tool (RAT), is designed to intercept encrypted communications, according to documents on WikiLeaks. The RAT has the capability of allowing an attacker to monitor encrypted communications such as Skype calls, according to Citizen Lab.

The RAT attempted to infect the Bahraini activists' machines using social engineering, said the researchers.

"In early May, we were alerted that Bahraini activists were targeted with apparently malicious e-mails," Munk researcher said in a blog post on Wednesday. "The emails ostensibly pertained to the ongoing turmoil in Bahrain, and encouraged recipients to open a series of suspicious attachments."

The emails sent to activists typically featured infected .rar compression files, which contained executables masquerading as picture files or documents. Once executed, the files installed a multi-featured Trojan which used "a myriad of techniques" to try to evade detection.

For example, a virtualised, bespoke packer converted native x86 instructions from the malware into another custom language chosen from one of 11 code templates. These instructions were then interpreted by an obfuscated interpreter customised for that particular language.

The malware also looks for antivirus software, and appears to be able to evade some antivirus on a version-by-version basis, said the researchers.

The RAT collects a wide range of data from an infected victim, including screenshots, keylogger data, audio from Skype calls, and passwords, said Citizen Lab. Data such as Skype chat messages and audio from all participants from a call are extracted, encrypted using AES, and sent to the party that launched it.

Samples of the Trojan have been extremely hard to come by, according to F-Secure chief research officer Mikko Hypponnen.

"To analyse this sample in detail is groundbreaking," Hypponnen told ZDNet on Wednesday. "We've seen sales pitches, but we haven't seen a sample before."

Hypponen said that F-Secure would now ask for a sample of the Trojan, and build it into its anti-malware.

Editorial standards