First discovered in 2011, the FinSpy malware has grown to add UEFI bootkit to its arsenal. When infected, it can log keys, credentials, and other sensitive data from communication and transport them to the hacker.
An Update to FinSpy
FinSpy, also known as FinFisher or Wingbird, is a surveillance malware first discovered in 2011. While it was the desktop implant, a mobile version was discovered a year later. This was initially spread through Trojanised installer – legitimate software but bundled with malware. Users downloading these files and unpacking will install the malware unknowingly and get infected. In 2014, the FinSpy team added support to Master Boot Record (MBR) and later found connections with the Indonesian government and infections in Myanmar. Igor Kuznetsov and Georgy Kucherin, researchers at Kaspersky’s Security Analyst Summit (SAS), revealed an upgraded version of FinSpy. The surveillanceware has just added Unified Extensible Firmware Interface (UEFI) bootkit to its desktop attacking vectors. As UEFI is an essential element handling the operation of OS, it’s good for FinSpy attackers to go undetected in a better way. With this, they can replace the Windows Boot Manager (bootmgfw.efi) with a malicious version, which houses two encrypted files within – a Winlogon Injector and FinSpy’s primary loader. Though the trojan was encrypted, it will be decrypted and injected into the winlogon.exe once the user logs in. While this happens by leveraging the UEFI in new systems, old systems without UEFI are attacked through MBR. Once in, FinSpy performs its intended duty of spying and stealing data like OS information, Microsoft product keys, locally stored media, credentials of VPN, browser and WiFi, search history, SSL keys, Skype recordings, etc.