Unknown FinSpy Mac and Linux versions found in Egypt

Pierluigi Paganini September 28, 2020

Experts from Amnesty International uncovered a surveillance campaign that targeted Egyptian civil society organizations with a new version of FinSpy spyware.

Amnesty International uncovered a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of the infamous FinSpy surveillance spyware.

The new versions employed in this campaign allow its operators to spy on both Linux and macOS systems.

Finisher, aka FinFisher, is a multiplatform surveillance software used by government and law enforcement agencies for their investigations, but unfortunately, it made the headlines because it was also used by oppressive regimes to spy on dissidents, activists, and Journalists.

Since 2011 it was employed in attacks aimed at Human Rights Defenders (HRDs) in many countries, including Bahrain, Ethiopia, UAE, and more. 

FinSpy can spy on most popular desktop and mobile operating systems, including Android, iOS, Windows, macOS, and Linux. It allows to use the users’ devices as a spying tool, it can control both webcam and microphone, to spy on communications and exfiltrate data stored on the infected systems.

The new versions of FinSpy spyware were used by a new unknown hacking group, Amnesty International speculates the involvement of a nation-state actor that employed them since September 2019.

The researchers were investigating the activities of another hacking group, tracked as NilePhish, which was involved in the past in attacks aimed at Egyptian NGOs, when discovered the new spyware sample uploaded on VirusTotal.

“While continuing research into this group’s activity, we discovered it has distributed samples of FinSpy for Microsoft Windows through a fake Adobe Flash Player download website. Amnesty International has not documented human rights violations by NilePhish directly linked to FinFisher products.” reads the Amnesty’s report.

The binaries are obfuscated and do some checks to detect if the spyware is running in a Virtual Machine.

The mobile version of the surveillance software in the first stage of the infection leverages the exploits to get root access. If the exploits don’t work, the malicious code will ask the user to grant root permissions to launch the next stage installer.

Below the infection chain for the FinSpy for Linux, descrived by the researchers.

“The “PDF” file obtained from the server is a short script containing encoded binaries for Linux 32bit and 64bit. It extracts the binary for the relevant architecture in /tmp/udev2 and executes it. Like its Mac OS counterpart, FinSpy for Linux is also obfuscated using LLVM-Obfuscator.” continues the analysis. “The modules available in the Linux sample are almost identical to the MacOS sample. The binaries are stored encrypted and obfuscated too, with a slightly different format, the AES Initialization vector being stored within the core module binary instead of in the encrypted module files.”


The experts shared technical details about their investigation, including indicators of compromise (IoC) to allow users to determine whether their devices have been compromised.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FinSpy)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment