• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Intelligence
  • Malware
  • Security
  • Finfisher, the case of a cyber espionage tool found everywhere

Finfisher, the case of a cyber espionage tool found everywhere

Pierluigi Paganini August 14, 2012

Two days ago, reading the news that lawful interception malware FinFisher was discovered in the wild I thought …

“wow finally we have the evidence, probably we will debate for a long time regarding the use of this tool and of similar agents”

But as fate would have it the same day came the news that a new malware has hit the Middle East and the interesting items on Finfisher ended in oblivion.

What is surprising is that the FinFisher spyware has been discovered on at least five continents.

What is FinFisher?

It is a powerful cyber espionage agent developed by Gamma Group that is able to secretly spy on target’s computers intercepting communications, recording every keystroke and taking the complete control of the host.

The spyware is for law enforcement and government use, but it seems to be  preferred for those regimes that desire to monitor representatives of the opposition.

Bloomberg News reported on July 25 that security experts, led by security researcher Morgan Marquis-Boire, believe they identified instances of FinFisher during an investigation on malware e-mailed to Bahraini activists.

The malicious mails was obtained by Bloomberg News and are not the only evidence of spread of malware, another team led by Claudio Guarnieri of Boston-based security company Rapid7 has analyzed the lawful interception malware discovered in the wild explaining how they communicate with their command server.

The study has revealed that instances of the malware have been detected also in Australia, U.S, Dubai, the Czech Republic, Indonesia, Latvia, Mongolia, Estonia, Qatar and Ethiopia.

As Guarnieri clarified the discoveries don’t indicate that relative governments use Fisher, it is possible in fact that Gamma clients use the product in other nations.

According the report published by Rapid7 “Analysis of the FinFisher Lawful Interception Malware“:

“They are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure,”

What really worried is the uncontrolled spread of these malware, evidence of a thriving market which nevertheless has many dark sides.

As submitted by Guarnieri:

“Once any malware is used in the wild, it’s Typically only a matter of time before it gets used for nefarious purposes,”

“It’s impossible to keep this kind of thing under control in the long term.”

Gamma International GmbH managing director Martin J. Muench replied disregarding  results proposed by the researchers. He confirmed that the Gamma hasn’t sold its spyware to those countries and also added that samples used for investigations were stolen demonstration copies or were sold via a third party.

Muench confirmed that Gamma complies with the current export regulations of the U.K., U.S. and Germany meanwhile the governments of the countries where the instances were detected have denied to use the spying product or have avoided to provide official explanations.

There is a great debate on the use of spyware, they represents a serious threat to privacy and human rights, the fact that similar malware were detected all around the world is the demonstration of how much wide is its diffusion and what is scaring is how is possible that a tool intended for a limited number of categories of private business and governments has been found everywhere.

According the Guarnieri’s study the malware has a very noisy presence in the system, it installs inline many user-mode hooks in several running processes. It’s not clear at this moment the entire list of functionalities of the agent but the researchers believe that it remains silent whenever it doesn’t have an active Internet connection..

The reports states:

According to CitizenLab’s research and WikiLeaks cables, following should be the supported features:

  • Bypassing of 40 regularly tested Antivirus Systems
  • Covert Communication with Headquarters
  • Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
  • Recording of common communication like Email, Chats and Voice-over-IP
  • Live Surveillance through Webcam and Microphone
  • Country Tracing of Target
  • Silent extracting of Files from Hard-Disk
  • Process-based Key-logger for faster analysis
  • Live Remote Forensics on Target System
  • Advanced Filters to record only important information
  • Supports most common Operating Systems (Windows, Mac OSX and Linux)


We believe that the Skype interception module is implemented tampering the circular sound buffer from Windows’ DirectSound interface.

During the tracking of C&C servers the researchers noted an unexpected behavior, all the services binded on the ports the malware tries to exchange binary data with, respond in an unusual way whenever performing any, even malformed, HTTP request.

For example, when connecting through telnet to 77.69.140.194:80 and sending “HEAD /”, the service responded the following way:

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length:12

Hallo Steffi

Of course similar behavior sounds perfect for fingerprinting, that is how the experts have conducted a search of command servers worldwide displaying them on a map and providing related IPaddresses:

  • 112.78.143.26 (Indonesia)
  • 121.215.253.151 (Australia)
  • 78.100.57.165 (Qatar)
  • 213.55.99.74 (Ethiopia)
  • 94.112.255.116 (Czech Republic)
  • 213.168.28.91 (Estonia)
  • 54.248.2.220 (USA)
  • 202.179.31.227 (Mongolia)
  • 80.95.253.44 (Czech Republic)
  • 81.198.83.44 (Latvia)
  • 86.97.255.50 (Dubai, UAE)

Concluding the researchers declared that their high interest on governmental malware but are worried by its wide use.

The malware seems fairly complex and well protected/ obfuscated, but the infection chain is pretty weak and unsophisticated. The ability to fingerprint the C&C was frankly embarrassing, particularly for malware like this. Combined, these factors really don’t support the suggestion that thieves refactored the malware for black market use.

It ‘a matter of time, but similar applications can certainly be used by evil-minded for unspeakable purposes,

What we can do is to diffuse knowledge on them and spread info on how to protect themselves from what is a serious attack on our privacy.

 Pierluigi Paganini

(Security Affairs – cyber espionage)

 

Update #1

The guys at EmergingThreats helped us refine our Snort rules a little bit in order to lower the possibility of false positives.

Following are the updated signatures, use them to detect FinSpy in your local networks:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; sid:1000001; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; sid:1000002; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;)

 

Update #2

At the time of writing 8 out of the 12 servers are not responding anymore: all the ports originally used have been filtered or closed off after our analysis and the related news articles have been published.

Even the ones that were actively responding until yesterday, like Latvia and Bahrain, are now inaccessible. A very odd timing, isn’t it?

In the last hours we read of many people questioning the validity of the “Hallo Steffi” pattern, saying that it could be completely unrelated to the FinFisher toolkit, as also Gamma’s Muench stated to Bloomberg. Fair enough, we also mentioned in this same blog post that there is no way we can guarantee a direct connection between that string and the malware, we only reported an anomaly on the Bahraini infrastructure and the discovery of the same anomaly in other locations.

We believe that this unusual behavior could have actually been a deception technique adopted by the FinSpy Proxy to disguise the nature of the service, but that when they realized it was actively used for fingerprinting the C&C servers was promptly disabled to prevent further discoveries.

 

Every FinSpy sample is configured with a set of multiple ports that it can try to contact: it will start from the lower port (for example 20), attempt a connection 3 times and then move over to the next one.

When running the Bahraini FinSpy sample, especially now that the server is not responding, it attempts the following connections:

 

13:02:43.747370 IP 10.0.2.15.1035 > 77.69.140.194.22: tcp 0
13:03:05.968816 IP 10.0.2.15.1036 > 77.69.140.194.53: tcp 0
13:03:28.100628 IP 10.0.2.15.1037 > 77.69.140.194.80: tcp 0
13:03:50.332553 IP 10.0.2.15.1038 > 77.69.140.194.443: tcp 0
13:04:21.517231 IP 10.0.2.15.1039 > 77.69.140.194.4111: tcp 0

 

As you can see the last one is port 4111.

We believe this is the standard FinSpy port and that all the other ones are probably just forwarded to 4111. The FinSpy “demo” sample contacted port 3111 totiger.gamma-international.de and ff-demo.blogdns.org, close enough.

 

Another interesting “coincidence” is that all the IP addresses that we observed responding with the “Hallo Steffi” banner also had/have port 4111 open, in fact if you check the only 4 servers currently up you can see:

 

Nmap scan report for bba44246.alshamil.net.ae (86.97.255.50)
Host is up (0.26s latency).
PORT     STATE    SERVICE
22/tcp   open     ssh
53/tcp   open     domain
443/tcp  open     https
4111/tcp open     xgrid

Nmap scan report for 94.112.255.116.static.b2b.upcbusiness.cz (94.112.255.116)
Host is up (0.044s latency).
PORT     STATE  SERVICE
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
443/tcp  open   https
4111/tcp open   xgrid

Nmap scan report for 112.78.143.26
Host is up (0.26s latency).
PORT     STATE  SERVICE
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
443/tcp  open   https
4111/tcp open   xgrid

Nmap scan report for 213.55.99.74
Host is up (0.16s latency).
PORT     STATE  SERVICE
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
443/tcp  open   https
4111/tcp open   xgrid
9111/tcp open   DragonIDSConsole

The last one also shows port 9111, which we observed along with port 3111 being open fewer times as well.

Is it more convincing now?


facebook linkedin twitter

cyber espionage FinFisher malware spyware

you might also like

Pierluigi Paganini July 08, 2025
IT Worker arrested for selling access in $100M PIX cyber heist
Read more
Pierluigi Paganini July 07, 2025
Taiwan flags security risks in popular Chinese apps after official probe
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 08, 2025

    IT Worker arrested for selling access in $100M PIX cyber heist

    Cyber Crime / July 08, 2025

    New Batavia spyware targets Russian industrial enterprises

    Uncategorized / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT