FacebookTwitterLinkedIn

Microsoft Guts FinFisher for all to see

In a report published by Microsoft on March 1, researchers have been able to dissect FinFisher. FinFisher is advertised as a lawful interception solution built by Germany-based FinFisher GmbH. It is sold exclusively to governments and is criticised by civil rights groups across the globe. It is sometimes referred to as FinSpy and has been active for nearly half a decade, often used by government agencies in conjunction with surveillance operations.

According to Microsoft, due to the analysis conducted by their researchers, Windows Defender Advanced Threat Protection (Windows Defender ATP) is capable of detecting behavior associated with the complex FinFisher spyware. The analysis was not cut and dry as sometimes malware analysis can be. Microsoft admitted the malware is complex and required the researchers to develop special methods just to crack the offending spyware.

FinFisher’s Dissection

Cracking FinFisher open was no easy feat. The spyware is packed with various detection, evasion and anti-analysis capabilities, including junk instructions and “spaghetti code,” multi-layered virtual machine detection, several anti-debug measures, and other defensive measures. One of the more difficult reasons to analyze the code came about through the use of “spaghetti code”, sometimes referred to as continuous code jumps. These code jumps included by FinFisher’s authors ensured that the program flow is difficult to read and can confuse disassembly programs. Tools exist called reversing plugins that are designed to help researchers unscramble the code but none of them worked. This meant Microsoft researchers had to develop their own tool is written in IDA (interactive disassembler) Python.

The use of such measures are not novel but any analysis that was to happen first had to first convert the code into something vaguely readable. Once this was done it was discovered that the spyware featured an array of opcode instructions that a custom virtual machine program can interpret. 32 different routines were discovered, each implementing a different opcode and functionality that the malware program may execute. This custom use of virtualized instruction blocks ensures that analysis using regular tools is not possible. To make matters worse traditional anti-debug and anti-analysis tricks in the virtualized code attempt to evade dynamic analysis tools as well. The researchers explained that

“Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM. […] The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization (ASLR). It is also able to move code execution into different locations if needed,”

FinFisher’s Multiple Deployment Stages

The first deployment stage of the spyware involves the use of a loader designed specifically to detect sandbox environments. If this step is passed, the loader reads four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remaps them in memory, rendering debuggers and software breakpoints useless. In the second step, the spyware performs additional anti-sandbox checks. This is done to avoid specific sandbox or security products, and also checks for virtualized environments (VMWare or Hyper-V) and if it is running under a debugger.

microsoft vs finfisher

The next stage which follows after the above checks are done represents a second multi-platform virtual machine. This is described by the research team as amounting to the following:

“The 32-bit stage 2 malware uses a customized loading mechanism (i.e., the PE file has a scrambled IAT and relocation table) and exports only one function. For the 64-bit stage 2 malware, the code execution is transferred from the loader using a well-known technique called Heaven’s Gate,”

In addition, the 64-bit stage implements another loader and virtual machine. The virtual then extracts and decrypts the stage 3 malware. After decryption, the payload is remapped and executed in memory.

Next stage is the installation stage with FinFisher beginning the setup process. At this stage, the spyware no longer employs virtual machines or code obfuscation. The code begins by installing the malware in a UAC-enforced environment with limited privileges, or with full administrative privileges enabled. During this step payloads, along with additional files, are potentially dropped under a folder located in C:\ProgramData or in the user application data folder.

The last stage involves execution of the main malware. It can be safely assumed that the dissection and analysis provided the researchers at the software giant more than a few sleepless nights. That, however, is not the end of FinFisher, like a bad horror movie it had one more surprise. The last stage provides one more layer of obfuscation for the final payload and sets up a special Structured Exception Handler routine to ensure stealthy operations. Once this is done the environment is checked once more and finally, it then proceeds to extract and execute the final payload.

Another Chapter in the Cyber Arms Race

While the malware authors enjoy the support from governments globally the unraveling of their interception solution has hit a bump in the road. In all likelihood, it will result in the authors developing more complex methods to evade detection and allow governments to continue their surveillance operations whether moral or otherwise.

Civil groups such as The Citizen Lab have a long history of tracing the company’s actions and the product they are selling to governments. The articles they have published make for interesting reading and it can be easily seen that the company’s product is been used in countries as far afield as Australia, South Africa, and Pakistan. The malware again made headlines in September of last year when the malware was observed exploiting a .NET Framework zero-day (CVE-2017-8759) for infection. This prompted ESET to ask whether Internet service providers (ISPs) might be knowingly and directly involved in FinFisher’s distribution process.

While Microsoft’s hard work shines a light on the malware and the how the company’s offering is used to spy on targets. It is doubtful whether it will stop the distribution of the malware particularly in light of the fact that the company has government support. For philosophy and legal students, this represents a great possible case study in what is legal is not always moral.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal