FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]
Name | Description |
---|---|
FinSpy |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control | |
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[1][5] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
FinFisher establishes persistence by creating the Registry key |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
FinFisher creates a new Windows service with the malicious executable for persistence.[1][5] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[1][5] |
|
Enterprise | T1083 | File and Directory Discovery |
FinFisher enumerates directories and scans for certain files.[1][5] |
|
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking | |
.002 | Hijack Execution Flow: DLL Side-Loading |
FinFisher uses DLL side-loading to load malicious programs.[1][5] |
||
.013 | Hijack Execution Flow: KernelCallbackTable |
FinFisher has used the |
||
Enterprise | T1070 | .001 | Indicator Removal on Host: Clear Windows Event Logs |
FinFisher clears the system event logs using |
Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.[1][7] |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[1][5] |
Enterprise | T1027 | Obfuscated Files or Information |
FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[1][5] |
|
.001 | Binary Padding |
FinFisher contains junk code in its functions in an effort to confuse disassembly programs.[1][5] |
||
.002 | Software Packing | |||
Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit | |
Enterprise | T1057 | Process Discovery |
FinFisher checks its parent process for indications that it is running in a sandbox setup.[1][5] |
|
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.[1][5] |
Enterprise | T1012 | Query Registry |
FinFisher queries Registry values as part of its anti-sandbox checks.[1][5] |
|
Enterprise | T1113 | Screen Capture |
FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.[1][5] |
|
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
FinFisher probes the system to check for antimalware processes.[1][4] |
Enterprise | T1082 | System Information Discovery | ||
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.[5] |
Mobile | T1433 | Access Call Log | ||
Mobile | T1429 | Capture Audio |
FinFisher uses the device microphone to record phone conversations.[8] |
|
Mobile | T1412 | Capture SMS Messages | ||
Mobile | T1436 | Commonly Used Port |
FinFisher exfiltrates data over commonly used ports, such as ports 21, 53, and 443.[8] |
|
Mobile | T1404 | Exploit OS Vulnerability |
FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.[8] |
|
Mobile | T1430 | Location Tracking |
FinFisher tracks the latitude and longitude coordinates of the infected device.[8] |
ID | Name | References |
---|---|---|
G0070 | Dark Caracal | |
G0070 | Dark Caracal |