Current FinFisher surveillance attacks: Are internet providers involved?
Security has found that legitimate downloads of several favorite applications/Software including WhatsApp, Skype, VLC Player and WinRAR have reportedly been compromised at the ISP level to share the infamous FinFisher spyware also known as FinSpy.
FinSpy is a highly unknown inspection tool that has previously been connected with British company Gamma Group, a company that professionally sells surveillance and spying software to government agencies over in the world.
Here’s How the Attack Works:
During the destination users search for one of the affected applications on legitimate websites and click on its download link, their browser is served a modified URL, which redirects victims to a trojanized installation package hosted on the attacker’s server.
The issues in the installation of a version of the intended legitimate application bundled with the surveillance tool.
“The redirection is achieved by the legitimate download link being replaced by a malicious one,” the researchers say. “The malicious link is delivered to the user’s browser via an HTTP 307 Temporary Redirect status response code indicating that the requested content has been temporarily moved to a new URL.”
And the intact redirection rule, according to researchers, is “invisible to the naked eye” and occurs without user’s knowledge.
FinFisher Appropriating a Whole Lot of New Tricks
That extra tricks employed by the latest version of FinFisher kept it from being spotted by the researchers.
Maybe Some researchers also note that the advanced version of FinFisher received several technological improvements in terms of stealthiness, including the use of custom code virtualization to protect the majority of its parts like the kernel-mode driver.
It additionally presents control of anti-disassembly tricks, and numerous anti-sandboxing, anti-debugging, anti-virtualization and anti-emulation tricks, aiming at compromising end-to-end encryption software and known privacy tools.
then guarded messaging application, called Threema, was discovered by the researchers while they were analyzing the recent campaigns.
“FinFisher spyware masqueraded as an executable file named “Threema.” Such a file could be used to target privacy-concerned users, as the legitimate Threema application provides secure instant messaging with end-to-end encryption,” the researchers say.
“Ironically, getting tricked into downloading and running the infected file would result in the privacy-seeking user being spied upon.”
Gamma Group has not yet replied to the ESET report.