Researchers from the cyber security software company Eset have detected surveillance campaigns utilising a new variant of FinFisher, the infamous spyware also known as FinSpy. Seven countries are affected and in two of them, major internet providers have most likely been involved in infecting the targets of surveillance. Eset did not specify who in order to avoid putting anyone in danger.
“In two of the campaigns, the spyware has been spread via a man-in-the-middle attack and we believe that major internet providers have played the role of the man in the middle,” explained Filip Kafka, the Eset malware analyst who conducted the research, as cited in the company’s press release.
FinFisher is spyware marketed as a law enforcement tool and sold to governmental agencies around the world. It is also believed to have been used by oppressive regimes.
FinFisher spyware has extensive spy capabilities, such as live surveillance through webcams and microphones, keylogging, and exfiltration of files. It has received a number of improvements in its latest version, aimed at improving its spy capabilities, staying under the radar and preventing analysis. The most important innovation, however, is the way in which the surveillance tool is delivered to targeted computers.
When a targeted user is about to download one of several popular applications such as WhatsApp, Skype or VLC Player, they are redirected to the attacker’s server. There, they are served a trojanised installation package infected with FinFisher.
“During the course of our investigations, we found a number of indicators that suggest the redirection is happening at the level of a major internet provider’s service,” said Kafka.
These campaigns are the first where the probable involvement of a major internet provider in spreading malware has been publicly disclosed, said Kafka as cited in the press release.
“These FinFisher campaigns are sophisticated and stealthy surveillance projects, unprecedented in their combination of methods and reach,” noted Kafka.
Eset responds to threats leaked from security agencies
Eset launched the latest version of its flagship security solutions for households in the middle of September. Their new layer of protection, control of UEFI (Unified Extensible Firmware Interface), is active even before the operating system Windows is launched and is searching for threats in the Unified Extensible Firmware Interface. This is because hackers are able to create a malicious code that can be launched via UEFI even before the common security solutions and the operating system are launched.
“Eset is the first security software company that provides protection of UEFI to their home users,” said Matej Krištofík, product manager at Eset.
Other improved functions include monitoring of domestic networks, providing an overview of devices connected to the user’s network and enhanced protection from ransomware. The latter works on the basis of behavioural monitoring. This means that it monitors the behaviour of apps or processes attempting to change data in the computer.