Download - Finfisher- Nguyễn Chấn Việt
![Page 1: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/1.jpg)
1
FinFisher The Cyber Espionage Tool
VietNC
Security Research
![Page 2: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/2.jpg)
Who Am I?
• VietNC
• Malware Analyst
• Exploit Developer
2
![Page 3: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/3.jpg)
Agenda
• Overview
• PC version •Windows
• Mobile version •iOS
•Android
•Windows Mobile
•BlackBerry
•Symbian
3
![Page 4: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/4.jpg)
Gamma Group
Gamma Group serves Governmental Customers only
Target Clients :
- Law Enforcement Agencies: Police, Anti-Corruption, VIP Protection, Customs, Presidential Guard, Naval & Border Security
- Intelligence Agencies: Internal and External Security Departments
- Military: Intelligence, Signal Intelligence, Army, Navy, Air Force
- Special Events: International Conferences & Events
4
![Page 5: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/5.jpg)
Overview
5
![Page 6: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/6.jpg)
Overview
6
![Page 7: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/7.jpg)
Product Capabilities
7
Product Name Description
FinSpy Mobile Offers ability to compromise target’s mobile phone:
BlackBerry, iOS, Android.
FinSpy Refers to the suite of FinFly offerings enumerated below.
FinFly USB Requires direct access to machine. Can extract and infect.
FinFly FireWire Requires direct access to machine. Can extract and infect.
FinFly LAN Requires direct access to the target LAN. Can perform
various MITM activities.
FinFly NET Requires that target visit a network that is in the control of
the attacker. Can perform various MITM activies.
FinFly ISP Attacks the target’s ISP. Can MITM either before hitting the
ISPs core network, or afterward.
FinFly Web Attempts to deploy malware to targets through various
web-based attack vectors.
FinFly Exploit Portal
Basically an online repository of 0-days and 1-days that paying customers can integrate into their attacks on targets
and deploy to said targets using various other FinFly offerings.
![Page 8: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/8.jpg)
Bypassing AVs
8
![Page 9: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/9.jpg)
Bypassing AVs
9
![Page 10: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/10.jpg)
Dropper
Malware extracts two of the PE resources from itself (using PE traversal manually) and deobfuscates them using a simple XOR algorithm.
One of the resources deobfuscates to a JPEG file that is then used as a replacement to the original sample file
The other resource is a PE file that is later loaded into the current process’s address space using a custom PE loader
10
![Page 11: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/11.jpg)
Dropper
Start with the key bytes and XOR that with the first 4 bytes.
XOR the next 4 bytes with the (obfuscated) previous 4 bytes.
11
![Page 12: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/12.jpg)
Dropper
Before XOR :
12
After XOR :
![Page 13: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/13.jpg)
Self Delete
13
![Page 14: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/14.jpg)
Payload Extraction
Decrypt the resources :
- Test.exe (main component)
- driverw.sys : named “Microsoft Disk Driver”
- shell32.dll
- msvcr90.dll
- …
Put into %TEMP% and execute using ShellExecuteW API
14
![Page 15: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/15.jpg)
Features in the payload
15
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
![Page 16: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/16.jpg)
Shell32.dll
16
Inject msvcr90.dll into another process
Detect Firewalls/AVs (Comodo, KAS)
Inject code into explorer.exe
![Page 17: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/17.jpg)
OS Version
17
Malware checks OS version :
- 32-bit : continue to decrypt 32-bit modules
- 64-bit : creates a new x64 malware in %TEMP% folder, CreateProcess to execute and terminates itself
![Page 18: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/18.jpg)
msvcr90.dll
18
Packed and encrypted tiny DLL
Only decrypt in memory
it does act as an internet proxy
Create serveral threads :
- one for checking injection
- one for injecting into Windows task manager and Sysinternals process explorer (32 and 64 bit)
- one for injecting into all processes
- …
![Page 19: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/19.jpg)
The injected code
The injected codedoes inline user-mode hook in the following functions in every running process :
ntdll.dll!NtDeviceIoControlFile
ntdll.dll!NtEnumerateKey
ntdll.dll!NtEnumerateValueKey
ntdll.dll!NtQueryDirectoryFile
ntdll.dll!NtQueryKey
ntdll.dll!NtQuerySystemInformation
19
kernel32.dll!CreateFileW
kernel32.dll!CreateProcessInternalW
kernel32.dll!MoveFileW
kernel32.dll!DeleteFileW
kernel32.dll!MoveFileExW
…
![Page 20: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/20.jpg)
Features in the PE payload
20
![Page 21: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/21.jpg)
Covering Tracks
21
GetCurrentDirectory()
FindFirstFile() / FindNextFile()
DeleteFileW
![Page 22: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/22.jpg)
C&C Signatures
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; sid:1000001; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; sid:1000002; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;)
22
![Page 23: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/23.jpg)
Mobile version
23
![Page 24: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/24.jpg)
iOS version
iOS version is developed for Arm7, built against iOS SDK 5.1 on OSX 10.7.3 and it appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up
24
![Page 25: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/25.jpg)
iOS version
The code signature contains 3 certificates:
Certificate “Apple Root CA”:
Will expire on 09.02.2035.
Your keychain contains this root certificate.
Certificate “Apple Worldwide Developer Relations Certification Authority”:
Will expire on 14.02.2016.
Certificate “iPhone Distribution: Martin Muench”:
Will expire on 03.04.2013.
SHA1 fingerprint: “1F921F276754ED8441D99FB0222A096A0B6E5C65”.
25
![Page 26: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/26.jpg)
Android
The application appears to install itself as “Android Services”:
26
![Page 27: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/27.jpg)
Android
C&C server decoded :
27
![Page 28: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/28.jpg)
Blackberry version
28
After installing :
![Page 29: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/29.jpg)
Blackberry version
29
Malware requests enhanced permissions after installing :
![Page 30: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/30.jpg)
Windows Mobile version
30
AddressBook: Providing exfiltration of details from contacts stored in the local address book.
CallInterception: Used to intercept voice calls, record them and store them for later transmission.
PhoneCallLog: Exfiltrates information on all performed, received and missed calls stored in a local log file.
SMS: Records all incoming and outgoing SMS messages and stores them for later transmission.
Tracking: Tracks the GPS locations of the device.
![Page 31: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/31.jpg)
Windows Mobile version
31
![Page 32: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/32.jpg)
Windows Mobile version
32
In order to manipulate phone calls, the malware makes use of the functions provided by RIL.dll, the Radio Interface Layer.
![Page 33: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/33.jpg)
Windows Mobile version
33
![Page 34: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/34.jpg)
Symbian version
34
The Symbian.sisx : “System Update”
![Page 35: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/35.jpg)
Symbian version
Main component : “c:\sys\bin\updater.exe”
35
![Page 36: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/36.jpg)
Symbian version
As mentioned in the security section of the Nokia developer notes for Symbian:
“Trusted UI dialogs are rare. They must be used only when confidentiality and security are critical: for instance for password dialogs. Normal access to the user interface and the screen does not require this.”
The second file (“mysym.sisx”) is “Installation File” and appears to be signed by the “Symbian CA I” for “Cyan Engineering Services SAL (offshore),”
36
![Page 37: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/37.jpg)
C&C Servers
Two servers in Brunei
One in Turkmenistan’s Ministry of Communications
Two in Singapore,
One in the Netherlands
A new server in Indonesia
A new server in Bahrain
37
![Page 38: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/38.jpg)
Conclusion
Great malware
38
![Page 39: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/39.jpg)
Questions?
39
![Page 40: Finfisher- Nguyễn Chấn Việt](https://reader033.vdocuments.net/reader033/viewer/2022042713/547ecfa2b47959c0508b4c2d/html5/thumbnails/40.jpg)
Thank you!
40