Experts observed for the first time FinFisher infections involving usage of a UEFI bootkit

Experts spotted a new variant of the FinFisher surveillance spyware that is able to hijack and replace the Windows UEFI bootloader to infect Windows machines.

Malware researchers at Kaspersky have spotted a new improvement of the infamous commercial FinSpy surveillance spyware (also known as Wingbird), it can now hijack and replace the Windows UEFI (Unified Extensible Firmware Interface) bootloader to infect the target machines.

Replacing the UEFI bootloader allows that attackers to install a bootkit that could not be detected security solutions running on the machine and allows the malware to gain persistence on the infected systems.

Kaspersky experts shared the results of an 8-months investigation into FinSpy spyware at the Security Analyst Summit (SAS) 2021. The researchers uncovered four-layer obfuscation and advanced anti-analysis measures employed by the authors that currently make FinFisher one of the hardest-to-detect spywares to date.

Kaspersky experts pointed out that the FinFisher variant they detected did not infect the UEFI firmware itself, the attackers replaced the Windows Boot Manager (bootmgfw.efi) with a malicious one to infect the machine.

“During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates the original Windows Boot Manager.” reads the analysis published by Kaspersky. “It is stored inside the efi\microsoft\boot\en-us\ directory, with the name consisting of hexadecimal characters. This directory contains two more files: the Winlogon Injector and the Trojan Loader.”

Unlike previous FinSpy versions, the new samples leverage two components to prevent malware analysis, a non-persistent pre-validator and a post-validator. The former ensures that the victim machine is not used for malware analysis, the latter is a persistent implant used to ensure that the victim is the intended one. 

The experts also observed that when the spyware targets machines that do not support UEFI, the infections involve the use of the MBR (Master Boot Record).  

“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” added Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect.”

Researchers published a detailed analysis of the new variant of FinFisher, the report also includes further technical details along with indicators of compromise (IOCs) for the FinFisher versions for Windows, Linux, and macOS.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FinFisher)

[adrotate banner=”5″]

[adrotate banner=”13″]