Pierluigi Paganini March 20, 2013

Many times we discussed about the fact that FinFisher was discovered in the wild, the use of popular spyware has been abused by governments and intelligence agencies all around the world. The spyware is for law enforcement and government use, but it seems to be  preferred for those regimes that desire to monitor representatives of the opposition.

FinFisher is considered powerful cyber espionage malware developed by Gamma Group that is able to secretly spy on target’s computers intercepting communications, recording every keystroke and taking the complete control of the host.

What is really concerning, as is obvious that both, is the fact that FinFisher is evolving, authors are improving its capabilities and in particular to ability to evade detection, security researchers discovered the agent at least in 25 countries across the globe, principally located in APAC. A group of researchers claimed that “the behavior of FinSpy servers began to change” to evade detection, tracks of the spyware were located in Australia, Bahrain, Bangladesh, India, Malaysia, Singapore, and Vietnam.

On July 2012 Bloomberg News reported that security experts, led by security researcher Morgan Marquis-Boire, identified instances of FinFisher during an investigation on malware e-mailed to Bahraini activists.

In the same period another team led by Claudio Guarnieri of Boston-based security company Rapid7 analyzed the instances of malware discovered in the wild revealing that instances of the FinFisher were detected also in Australia, U.S, Dubai, the Czech Republic, Indonesia, Latvia, Mongolia, Estonia, Qatar and Ethiopia.

Guarnieri clarified the discoveries don’t indicate that relative governments use Fisher, it is possible in fact that Gamma clients use the product in other nations. According the report published by Rapid7 “Analysis of the FinFisher Lawful Interception Malware“:

“They are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure,”

What really worried is the uncontrolled spread of these malware, evidence of a thriving market which nevertheless has many dark sides.

The UK Government, imposed restriction to Gamma Group to export the software outside the EU, the authorities requested to the security firm to apply more control for exports especially to those countries where human rights are daily violated.

On Friday 1st February various organizations engaged in defense of human rights such as the European Center for Constitutional and Human Rights, Privacy International, the Bahrain Center for Human Rights and Reporters without Borders filed formal complaints with the Organisation for Economic Cooperation and Development (OECD) against Gamma International and Trovicor companies for suspected complicity in serious human rights abuses in Bahrain.

The deploy of the surveillance software has caused abuses in Bahrain, the local authorities have used information gathered from intercepted phone and internet communications to catch political dissidents and activists and extort confessions using unjust detentions and tortures.

A team of researchers at Toronto University’s Munk School of Global Affairs tracked 36 new command and control servers, but is surprising is that 30 of total servers are new, in 19 countries. Gamma International has repeatedly denied any links to the spyware and servers revealed by Munk School researchers.

For those who are interested I suggest an interesting post that describes the results of a comprehensive global Internet scan for the command and control servers of FinFisher’s surveillance software, key findings provided by authors (Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton):

• We have found command and control servers for FinSpy backdoors, part of Gamma International’s FinFisher “remote monitoring solution,” in a total of 25 countries: Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam.
• A FinSpy campaign in Ethiopia uses pictures of Ginbot 7, an Ethiopian opposition group, as bait to infect users. This continues the theme of FinSpy deployments with strong indications of politically-motivated targeting.
• There is strong evidence of a Vietnamese FinSpy Mobile Campaign. We found an Android FinSpy Mobile sample in the wild with a command & control server in Vietnam that also exfiltrates text messages to a local phone number.
• These findings call into question claims by Gamma International that previously reported servers were not part of their product line, and that previously discovered copies of their software were either stolen or demo copies.

The analysis of the specialists reveals a bleak picture, the use of malware spreads like wildfire and probably many servers are still unidentified due to evasion techniques implemented Gamma company.

Another factor of concerns is the specialization of FinSpy also for mobile, in Vietnam researchers isolates an instance that also implemented GPS tracking of victims and spying on conversations and SMS.

Once again it is confirmed that:

“Moreover, discovery of a FinSpy command and control server in a given country is not a sufficient indicator to conclude the use of FinFisher by that country’s law enforcement or intelligence agencies. In some cases, servers were found running on facilities provided by commercial hosting providers that could have been purchased by actors from any country.”

I conclude agreeing with authors of report that request an urgent policy debate about monitoring and surveillance software/architectures and related commercialization, the intolerable situation is under the eyes of all, many democratic countries also increased monitoring and surveillance activities in the name of homeland security … proceed in this direction can have dangerous consequences.

Pierluigi Paganini

(Security Affairs – Cyber FinFisher)