ISPs Supposedly Involved in New FinFisher Spyware Campaigns

highlighting Malware tag cloud

An investigation into the FinFisher spyware campaign reveals the potential role of major internet service providers in distributing the program.

According to ESET researchers, a new malicious malware campaign is spreading through seven countries across the world.

At the center of the attack is the “FinFisher” spyware, which is allegedly being distributed by internet service providers.

FinFisher also called “FinSpy,” is a surveillance software developed by Gamma Group.

Until now, it was sold to governments to help keep track of opposition groups and figures roaming the public.

The ESET research team believes that this new campaign is being spread by internet service providers in collaboration with various governments to target areas of interest.

What Does This Malware Do?

The unique component to this new malware is that it can avoid detection by most antivirus programs and can keep tabs on different communication software programs like Skype.

Moreover, it can also monitor video chats, log calls and even copy user files.

According to the creator of the FinFisher spyware software, the program was developed to help government and law enforcement agencies identify and track criminals.

However, the popular spyware is now being used to affect systems all across the world.

ESET released this information on the new FinFisher spyware malware campaign on their blog, stating that internet service providers may be involved in its distribution.

In the statement, ESET also mentions that the latest version of the FinFisher spyware is different from previous iterations, and it contains several improvements.

The versions that came before it had issues when it came to going undetected by popular antivirus programs but the new, upgraded version is able to get by without detection.

Unlike other malware programs that operate through Flash plugins, the FinFisher spyware can infiltrate computers when users download various applications like Skype, VLC or even WhatsApp.

ESET also stated that the FinFisher spyware is being spread through MiTM attacks.

MiTM or Man-in-The-Middle attacks focus more on communication relays, which leads to the tampering of data streams.

It can also spy on a user and distribute malware. In a successful MiTM attack, the target will get redirected to the hacker’s server where the malicious program will be installed.

This program will also have a Trojan that disseminates the FinFisher spyware.

So when a user goes to a website to download their favorite application, they will be unaware that they are being taken somewhere else.

And to avoid any suspicion, the malware program even installs the software the user had intended to download.

This clearly proves a certain level of sophistication and points to the fact that the perpetrators have really put a lot of time and thought into this malicious program.

The newest version also utilizes custom code visualization, which allows it to protect itself with the kernel-mode driver.

It also prevents sandboxing and debugging along with emulation, which makes it very difficult for a security analyst to break down its code.

Are ISPs Really Involved?

malware cyber background

This spyware is now being used to infect systems across the world.

When ESET was performing the investigation into the FinFisher spyware campaign, they noticed that the redirection of users was occurring at a level that suggests the backing of a large internet service provider.

However, only the new version of the malicious malware had this capability, as the above was seen only in two countries where the new version was spread.

The older version that hit the other five countries had employed outdated techniques while infecting computers.

It is also important to note that this theory hasn’t been decisively proven yet, and it is all speculation at this point.

Analysts at ESET do state that it is technically possible that the perpetrator behind the MiTM attacks might be located at various positions on the route between the infected user’s PC and the legitimate server he/she is accessing initially.

But what creates doubt about whether or not major internet service providers are involved is the level of geographical dispersion in the new FinFisher spyware versions.

Such a wide area makes the involvement of big ISPs a very probable one.

As of now, nothing concrete has come out but in a due course of time, the mystery behind these attacks might be revealed.

Until then, it’s important to use online scanners—like ESET’s own free scanner program—to make sure your computer is not affected by the malware campaign.

You should also perform the necessary checks required to make sure you are safe from any spying eyes.

Leave a Reply