Unnamed major internet providers are reported to be the distribution route for the spread of a new variant of government spyware FinFisher (also known as FinSpy) in two countries, with surveillance campaigns using the new malware variant detected in a total of seven unnamed countries.
Researchers at ESET say these campaigns are the first where the probable involvement of a major internet provider in spreading malware has been publicly disclosed.
“In two of the campaigns, the spyware has been spread via a man-in-the-middle attack and we believe that major internet providers have played the role of the man in the middle,” explains Filip Kafka, the ESET malware analyst who conducted the research.
FinFisher describes itself as a law enforcement tool; it is known to be used by various oppressive regimes. It allows surveillance through keylogging, and exfiltration of files, as well as live surveillance through webcams and microphones.
When a targeted user is about to download Skype, Whatsapp ,VLC Player, Avast or WinRAR, they are redirected to the attackers' server where they are served a trojanised installation package infected with FinFisher.
When the requested software is downloaded and executed, it installs not only the intended legitimate application, but also the FinFisher spyware bundled with it. The malicious link is delivered to the user's browser via an HTTP 307 Temporary Redirect status response code indicating that the requested content has been temporarily moved to a new URL. The whole redirection process occurs without the user's knowledge and is invisible to the naked eye.
Kafka,adds, “These FinFisher campaigns are sophisticated and stealthy surveillance projects, unprecedented in their combination of methods and reach.”
ESET takes the view that there is no such thing as good malware, as outlined in its response to an open letter by Bits of Freedom, a digital rights activist group.
FinFisher campaigns use various infection mechanisms, including spearphishing, manual installations with physical access to devices, 0-day exploits, and watering hole attacks – poisoning websites the targets are expected to visit (which ESET says it observed used to serve a mobile version of FinFisher).
Among the recent campaigns, FinFisher spyware was being targeted at people seeking stronger privacy as it masqueraded as an executable file named “Threema” which would provide secure instant messaging with end-to-end encryption.
Another installation was a file of TrueCrypt – the once-very-popular disk encryption software – trojanised with FinFisher.
ESET explains that it would be technically possible for the “man” in these man-in-the-middle attacks to be situated at various positions along the route from the target's computer to the legitimate server (eg compromised Wi-Fi hotspots). However, the company says, “the geographical dispersion of ESET's detections of latest FinFisher variants suggests the MitM attack is happening at a higher level – an ISP arises as the most probable option.”
It says this assumption is supported by a number of facts: First, according to leaked internal materials that have been published by WikiLeaks, the FinFisher maker offered a solution called “FinFly ISP” to be deployed on ISP networks with capabilities matching those necessary for performing such a MitM attack. Second, the infection technique (using the HTTP 307 redirect) is implemented in the very same way in both of the affected countries, which is very unlikely unless it was developed and/or provided by the same source. Third, all affected targets within a country are using the same ISP. Finally, the very same redirection method and format have been used for internet content filtering by internet service providers in at least one of the affected countries.
The deployment of the ISP-level MitM attack technique mentioned in the leaked documents has never been revealed – until now. If confirmed, these FinFisher campaigns would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach.
ESET has a free online scanner which allows users to check their computer for FinFisher and remove it if detected.