FinFisher/FinSpy seen in targeted emails

July 31, 2012

Dell SonicWALL Threats Research team received reports of a spying tool being sent as an attachment in spear phishing emails targeting activists. This spying tool called FinFisher/FinSpy has been linked to being covertly used by various governments for surveillance within and across their borders. The tool behaves like a Trojan and uses various stealth techniques to evade detection. It harvests user data and attempts to upload the encrypted data to a remote server.

The executable in the email attachment uses the following misleading icons:
screenshot

The FinSpy tool when executed performs the following activities:

  • It creates the following files:
    • %appdata%MicrosoftInstallermssounddx.sys [Detected as GAV: FinSpy.A_3 (Trojan)]]
    • %appdata%MicrosoftInstallershellex32.dll [Detected as GAV: FinSpy.A_4 (Trojan)]]
    • %appdata%MicrosoftInstaller{8171412B-B34C-4183-A4BB-057CEA02F7FB}80C.dat (Harvested data)]
    • %appdata%MicrosoftInstaller{8171412B-B34C-4183-A4BB-057CEA02F7FB}(02-21)C.dat (Harvested data)]
    • %appdata%MicrosoftInstaller{8171412B-B34C-4183-A4BB-057CEA02F7FB}ico_ty23.ico (Harvested data)]
    • %temp%delete.bat (Bat executable with commands to delete itself)

  • It creates the following registry key to ensure infection on reboot:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmssounddx:"%appdata%MicrosoftInstallermssounddx.sys"

  • It hooks the following API in ntdll.dll:
    • CsrClientCallServer

  • It starts iexplorer.exe and injects code in to it

  • It attempts to contact the following remote servers: (These sub-domains no longer resolve)
    • tiger.gamma-international.de
    • ff-demo.blogdns.org

  • It attempts to send encrypted data over TCP ports 22, 3111, 3112 and 3113:

    screenshot

  • It attempts to disguise itself as Mozilla Firefox as seen from the resource section:

    screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: FinSpy.A (Trojan)
  • GAV: FinSpy.A_2 (Trojan)
  • GAV: FinSpy.A_3 (Trojan)
  • GAV: FinSpy.A_4 (Trojan)
  • IPS: FinFisher Server Trafffic
  • IPS: FinFisher Client Connection Attempt