Skip to content

S0182 FinFisher

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. 1 2 3 4 5

Item Value
ID S0182
Associated Names FinSpy
Version 1.4
Created 16 January 2018
Last Modified 02 March 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
FinSpy 3 4

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control FinFisher performs UAC bypass.15
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.15
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FinFisher establishes persistence by creating the Registry key HKCU\Software\Microsoft\Windows\Run.15
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service FinFisher creates a new Windows service with the malicious executable for persistence.15
enterprise T1140 Deobfuscate/Decode Files or Information FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.15
enterprise T1083 File and Directory Discovery FinFisher enumerates directories and scans for certain files.15
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking A FinFisher variant uses DLL search order hijacking.14
enterprise T1574.002 DLL Side-Loading FinFisher uses DLL side-loading to load malicious programs.15
enterprise T1574.013 KernelCallbackTable FinFisher has used the KernelCallbackTable to hijack the execution flow of a process by replacing the __fnDWORD function with the address of a created Asynchronous Procedure Call stub routine.6
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs FinFisher clears the system event logs using OpenEventLog/ClearEventLog APIs .15
enterprise T1056 Input Capture -
enterprise T1056.004 Credential API Hooking FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.17
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.15
enterprise T1027 Obfuscated Files or Information FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.15
enterprise T1027.001 Binary Padding FinFisher contains junk code in its functions in an effort to confuse disassembly programs.15
enterprise T1027.002 Software Packing A FinFisher variant uses a custom packer.14
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit Some FinFisher variants incorporate an MBR rootkit.15
enterprise T1057 Process Discovery FinFisher checks its parent process for indications that it is running in a sandbox setup.15
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.15
enterprise T1012 Query Registry FinFisher queries Registry values as part of its anti-sandbox checks.15
enterprise T1113 Screen Capture FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.15
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery FinFisher probes the system to check for antimalware processes.14
enterprise T1082 System Information Discovery FinFisher checks if the victim OS is 32 or 64-bit.15
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.5
mobile T1433 Access Call Log FinFisher accesses and exfiltrates the call log.8
mobile T1429 Capture Audio FinFisher uses the device microphone to record phone conversations.8
mobile T1412 Capture SMS Messages FinFisher captures and exfiltrates SMS messages.8
mobile T1436 Commonly Used Port FinFisher exfiltrates data over commonly used ports, such as ports 21, 53, and 443.8
mobile T1404 Exploit OS Vulnerability FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.8
mobile T1430 Location Tracking FinFisher tracks the latitude and longitude coordinates of the infected device.8

Groups That Use This Software

ID Name References
G0070 Dark Caracal 8
G0070 Dark Caracal 8


Back to top