S0182 FinFisher

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. ¹ ² ³ ⁴ ⁵

Item	Value
ID	S0182
Associated Names	FinSpy
Type	MALWARE
Version	1.4
Created	16 January 2018
Last Modified	02 March 2022
Navigation Layer	View In ATT&CK® Navigator

Associated Software Descriptions

Name	Description
FinSpy	³ ⁴

Techniques Used

Domain	ID	Name	Use
enterprise	T1548	Abuse Elevation Control Mechanism	-
enterprise	T1548.002	Bypass User Account Control	FinFisher performs UAC bypass.¹⁵
enterprise	T1134	Access Token Manipulation	-
enterprise	T1134.001	Token Impersonation/Theft	FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.¹⁵
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.001	Registry Run Keys / Startup Folder	FinFisher establishes persistence by creating the Registry key `HKCU\Software\Microsoft\Windows\Run`.¹⁵
enterprise	T1543	Create or Modify System Process	-
enterprise	T1543.003	Windows Service	FinFisher creates a new Windows service with the malicious executable for persistence.¹⁵
enterprise	T1140	Deobfuscate/Decode Files or Information	FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.¹⁵
enterprise	T1083	File and Directory Discovery	FinFisher enumerates directories and scans for certain files.¹⁵
enterprise	T1574	Hijack Execution Flow	-
enterprise	T1574.001	DLL Search Order Hijacking	A FinFisher variant uses DLL search order hijacking.¹⁴
enterprise	T1574.002	DLL Side-Loading	FinFisher uses DLL side-loading to load malicious programs.¹⁵
enterprise	T1574.013	KernelCallbackTable	FinFisher has used the `KernelCallbackTable` to hijack the execution flow of a process by replacing the `__fnDWORD` function with the address of a created Asynchronous Procedure Call stub routine.⁶
enterprise	T1070	Indicator Removal	-
enterprise	T1070.001	Clear Windows Event Logs	FinFisher clears the system event logs using `OpenEventLog/ClearEventLog APIs` .¹⁵
enterprise	T1056	Input Capture	-
enterprise	T1056.004	Credential API Hooking	FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.¹⁷
enterprise	T1036	Masquerading	-
enterprise	T1036.005	Match Legitimate Name or Location	FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.¹⁵
enterprise	T1027	Obfuscated Files or Information	FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.¹⁵
enterprise	T1027.001	Binary Padding	FinFisher contains junk code in its functions in an effort to confuse disassembly programs.¹⁵
enterprise	T1027.002	Software Packing	A FinFisher variant uses a custom packer.¹⁴
enterprise	T1542	Pre-OS Boot	-
enterprise	T1542.003	Bootkit	Some FinFisher variants incorporate an MBR rootkit.¹⁵
enterprise	T1057	Process Discovery	FinFisher checks its parent process for indications that it is running in a sandbox setup.¹⁵
enterprise	T1055	Process Injection	-
enterprise	T1055.001	Dynamic-link Library Injection	FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.¹⁵
enterprise	T1012	Query Registry	FinFisher queries Registry values as part of its anti-sandbox checks.¹⁵
enterprise	T1113	Screen Capture	FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.¹⁵
enterprise	T1518	Software Discovery	-
enterprise	T1518.001	Security Software Discovery	FinFisher probes the system to check for antimalware processes.¹⁴
enterprise	T1082	System Information Discovery	FinFisher checks if the victim OS is 32 or 64-bit.¹⁵
enterprise	T1497	Virtualization/Sandbox Evasion	-
enterprise	T1497.001	System Checks	FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.⁵
mobile	T1429	Audio Capture	FinFisher uses the device microphone to record phone conversations.⁸
mobile	T1404	Exploitation for Privilege Escalation	FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.⁸
mobile	T1430	Location Tracking	FinFisher tracks the latitude and longitude coordinates of the infected device.⁸
mobile	T1636	Protected User Data	-
mobile	T1636.002	Call Log	FinFisher accesses and exfiltrates the call log.⁸
mobile	T1636.004	SMS Messages	FinFisher captures and exfiltrates SMS messages.⁸

Groups That Use This Software

ID	Name	References
G0070	Dark Caracal	⁸

References

FinFisher. (n.d.). Retrieved December 20, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. ↩
Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018. ↩↩
Kaspersky Lab’s Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018. ↩↩↩↩↩
Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022. ↩
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. ↩
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. ↩↩↩↩↩↩