In reviews of how FinFisher FinSpy, The Hacking Teams’s RCS and similar “ethical malware” programs work, the discussion generally begins with the statement, “They plant malware on a device to take control” and ends with a list of all the capabilities that derive therefrom. All fine and well, but what are the steps leading up to the malware plant that make it successful? And how do such solutions actually overcome anti-virus software, sandboxes, etc. to do their job invisibly without drawing any attention?
Here, without going into an encyclopedic ramble on coding, we will endeavor to explain in laymen’s terms (more or less) the process behind successful malware attacks, using FinFisher FinSpy as an example. In essence, remote control ethical malware operates on three principles: (1) gaining trust of the target; (2) fooling the target’s device; or (3) both together. In each case the user is leveraging vulnerabilities, either of human nature or systems design.
First, a brief general overview of malware.
Of Human Bondage
With all the public alarm over malware and botnets, most individuals — and particularly targets in the criminal or terrorist community — are acutely aware of the dangers of malware, Trojans, botnets and viruses. Even the term “Zero Day,” a vulnerability in an operating system, which was arcane terminology confined to the likes of Zerodium, has become common parlance. At the most basic level, people know to avoid clicking on emails from complete strangers or to view “out of the blue” notices from bad guys posing as a bank, the IRS, or doctor’s office. But there still those who fall prey to such common techniques of planting malware, varioulsly dubbed phishing or “social engineering.” It is all too easy to gain their trust, and from there deploy malware that takes over a device.
More insidious are “drive-by” malware attacks that are increasingly common and take place more from negligence than outright foolishness. Here a favorite, trusted browser or news website – Yahoo is a recent example – might be rigged with exploit code that attacks when the victim visits the home page. The malicious code then begins searching for vulnerabilities, often found in apps the device owner has failed to update. App hogs, individuals who download multiple apps they quickly forget about, are favorite targets.
Malicious code may be “environmentally aware,” taking advantage of runtime differences between software and hardware. They may continuously alter their signature to end run malware blacklists used by signature-based antivirus software. They may evade detection by running only at selected dates and times, or after specific events such as rebooting, and remain dormant at other times. Another type of malware changes its name to hide behind trusted features, for example replacing Application Program Interfaces (APIs) with hashed values that avoid parsing, then communicating with a port on the hacked device to encrypt the malware and the data being stolen. Similarly the code might create executable malicious files that masquerade as legitimate ones.
A hacker may also attack via “shellcode,” a line of code that provides a base for directly accessing the target device’s operating system, and issues commands to take control. Such attacks are called “rootkit infections” because they provide root access to the operating system and replace factory-installed administrative procedures with ones that serve the interests of the attacker, yet are concealed so that operation seems normal to the target.
As mentioned, drive-by or other types of malware attacks can be hosted on a trusted site serving as a victim. However, in the case of ethical malware, the user is typically acting from behind proxy servers that creates mirror images or the real website page to upload malicious code. The proxy servers, in turn, report to a Master Server that remains hidden from view.
Many of these techniques will sound familiar as we enter the world of FinFisher FinSpy.
Customers of FinSpy use a Master FinFisher Server and FinProxy servers to host and deploy the malware solution. The Master Server is configured to link to all proxy servers, listing the ports and the external IP address of each. Proxy servers are set up for listening and uploading the FinSpy module. The Master Server, which acts as monitoring center for intercepts, is configured for the ports to be monitored, certificates used and logging files. The Server also includes directories of all ports, certificate paths, logging files,locational files and destination paths.
Perhaps most importantly, the Master Server holds “TargetModules” directory listing executable files that bind specific target data to the FinSpy trojan via rootkit infection. Targeted files might be of any type, including Word, pdf, image, video, audio. Executable files are “hollow” and attach to target files so that both run – first the trojan, then the legitimate file.
To prevent being caught by and stuck in a secure zone “sandbox,” FinSpy executes anti-sandboxing code to ensure the rootkit can be “dropped.” Using a process called Structured Exception Handling (SEH), the anti-sandboxing code creates several random bytes for purposes of distracting the device’s “Exception Dispatcher,” which immediately launches an exception code in the operating system. The Dispatcher tries three times then quits, assuming the bytes are a non-working app. At that point, the way is open around the sandbox. The FinSpy “dropper” unleashes a rootkit infection to commandeer the operating system.
All very quietly, mind you. FinSpy hides in the target device’s “temporary” folder and decrypts its spyware tools packed in from the resource library. Then it generates a legitimate system function, “hollows it” and injects a Dynamic Link Library (DLL) tool unleashing capabilities to perform all the wonders of ethical malware.
One other brilliant feature of the rootkit: It modifies the targeted device’s “Master Boot Record,” that portion of a hard disk or diskette that tells the operating system to load (and when) into main storage or RAM. In so doing, FinSpy gains control of the device’s “Process Monitoring” in charge of real time process and threat activity on the system, Reason: to lower the malware’s level of activity below antivirus software’s ability to register and report it as an activity. When the event goes into memory it is under a false name that almost impossible to single out.
Captured data is encrypted in 256-bit AES and stored in the very directory the original rootkit was packed into. The data is then routed to a FinProxy server and on to the Master Server for analysis.The end result: the ability to hack into a target’s remote file access, keyword logging, active his still and video cameras, record his voice live by his own microphone, lift his passwords, access his communications in real time – voice, SMS, email, social media or video chats – and geolocate him for arrest, or “special handling” by Special Ops. Now you know all the steps that precede.
Insider Surveillance rating for FinFisher FinSpy: 5 Stars