1

FinFisher The Cyber Espionage Tool

VietNC

Security Research

Who Am I?

• VietNC

• Malware Analyst

• Exploit Developer

2

Agenda

• Overview

• PC version •Windows

• Mobile version •iOS

•Android

•Windows Mobile

•BlackBerry

•Symbian

3

Gamma Group

Gamma Group serves Governmental Customers only

Target Clients :

- Law Enforcement Agencies: Police, Anti-Corruption, VIP Protection, Customs, Presidential Guard, Naval & Border Security

- Intelligence Agencies: Internal and External Security Departments

- Military: Intelligence, Signal Intelligence, Army, Navy, Air Force

- Special Events: International Conferences & Events

4

Overview

5

Overview

6

Product Capabilities

7

Product Name Description

FinSpy Mobile Offers ability to compromise target’s mobile phone:

BlackBerry, iOS, Android.

FinSpy Refers to the suite of FinFly offerings enumerated below.

FinFly USB Requires direct access to machine. Can extract and infect.

FinFly FireWire Requires direct access to machine. Can extract and infect.

FinFly LAN Requires direct access to the target LAN. Can perform

various MITM activities.

FinFly NET Requires that target visit a network that is in the control of

the attacker. Can perform various MITM activies.

FinFly ISP Attacks the target’s ISP. Can MITM either before hitting the

ISPs core network, or afterward.

FinFly Web Attempts to deploy malware to targets through various

web-based attack vectors.

FinFly Exploit Portal

Basically an online repository of 0-days and 1-days that paying customers can integrate into their attacks on targets

and deploy to said targets using various other FinFly offerings.

Bypassing AVs

8

Bypassing AVs

9

Dropper

Malware extracts two of the PE resources from itself (using PE traversal manually) and deobfuscates them using a simple XOR algorithm.

One of the resources deobfuscates to a JPEG file that is then used as a replacement to the original sample file

The other resource is a PE file that is later loaded into the current process’s address space using a custom PE loader

10

Dropper

Start with the key bytes and XOR that with the first 4 bytes.

XOR the next 4 bytes with the (obfuscated) previous 4 bytes.

11

Dropper

Before XOR :

12

After XOR :

Self Delete

13

Payload Extraction

Decrypt the resources :

- Test.exe (main component)

- driverw.sys : named “Microsoft Disk Driver”

- shell32.dll

- msvcr90.dll

- …

Put into %TEMP% and execute using ShellExecuteW API

14

Features in the payload

15

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Shell32.dll

16

Inject msvcr90.dll into another process

Detect Firewalls/AVs (Comodo, KAS)

Inject code into explorer.exe

OS Version

17

Malware checks OS version :

- 32-bit : continue to decrypt 32-bit modules

- 64-bit : creates a new x64 malware in %TEMP% folder, CreateProcess to execute and terminates itself

msvcr90.dll

18

Packed and encrypted tiny DLL

Only decrypt in memory

it does act as an internet proxy

Create serveral threads :

- one for checking injection

- one for injecting into Windows task manager and Sysinternals process explorer (32 and 64 bit)

- one for injecting into all processes

- …

The injected code

The injected codedoes inline user-mode hook in the following functions in every running process :

ntdll.dll!NtDeviceIoControlFile

ntdll.dll!NtEnumerateKey

ntdll.dll!NtEnumerateValueKey

ntdll.dll!NtQueryDirectoryFile

ntdll.dll!NtQueryKey

ntdll.dll!NtQuerySystemInformation

19

kernel32.dll!CreateFileW

kernel32.dll!CreateProcessInternalW

kernel32.dll!MoveFileW

kernel32.dll!DeleteFileW

kernel32.dll!MoveFileExW

…

Features in the PE payload

20

Covering Tracks

21

GetCurrentDirectory()

FindFirstFile() / FindNextFile()

DeleteFileW

C&C Signatures

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; sid:1000001; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; sid:1000002; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;)

22

Mobile version

23

iOS version

iOS version is developed for Arm7, built against iOS SDK 5.1 on OSX 10.7.3 and it appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up

24

iOS version

The code signature contains 3 certificates:

Certificate “Apple Root CA”:

Will expire on 09.02.2035.

Your keychain contains this root certificate.

Certificate “Apple Worldwide Developer Relations Certification Authority”:

Will expire on 14.02.2016.

Certificate “iPhone Distribution: Martin Muench”:

Will expire on 03.04.2013.

SHA1 fingerprint: “1F921F276754ED8441D99FB0222A096A0B6E5C65”.

25

Android

The application appears to install itself as “Android Services”:

26

Android

C&C server decoded :

27

Blackberry version

28

After installing :

Blackberry version

29

Malware requests enhanced permissions after installing :

Windows Mobile version

30

AddressBook: Providing exfiltration of details from contacts stored in the local address book.

CallInterception: Used to intercept voice calls, record them and store them for later transmission.

PhoneCallLog: Exfiltrates information on all performed, received and missed calls stored in a local log file.

SMS: Records all incoming and outgoing SMS messages and stores them for later transmission.

Tracking: Tracks the GPS locations of the device.

Windows Mobile version

31

Windows Mobile version

32

In order to manipulate phone calls, the malware makes use of the functions provided by RIL.dll, the Radio Interface Layer.

Windows Mobile version

33

Symbian version

34

The Symbian.sisx : “System Update”

Symbian version

Main component : “c:\sys\bin\updater.exe”

35

Symbian version

As mentioned in the security section of the Nokia developer notes for Symbian:

“Trusted UI dialogs are rare. They must be used only when confidentiality and security are critical: for instance for password dialogs. Normal access to the user interface and the screen does not require this.”

The second file (“mysym.sisx”) is “Installation File” and appears to be signed by the “Symbian CA I” for “Cyan Engineering Services SAL (offshore),”

36

C&C Servers

Two servers in Brunei

One in Turkmenistan’s Ministry of Communications

Two in Singapore,

One in the Netherlands

A new server in Indonesia

A new server in Bahrain

37

Conclusion

Great malware

38

Questions?

39

Thank you!

40