FinFisher commercially developed for surveillance has been upgraded to infect Windows devices using a UEFI bootkit using a trojanized Windows Boot Manager.
FinFisher is a spyware toolset for Windows, macOS, and Linux developed for exclusively to law enforcement and intelligence agencies. But like with NSO Group’s Pegasus, the software has also been used to spy.
FinFisher is equipped to harvest user credentials, file listings, sensitive documents, record keystrokes, siphon email messages from Thunderbird, Outlook, Apple Mail, and Icedove, intercept Skype contacts, chats, calls and transferred files, and capture audio and video by gaining access to a machine’s microphone and webcam.
Previously deployed through tampered installers of legitimate apps such as TeamViewer, VLC, and WinRAR which backdoored with an obfuscated downloader, subsequently via Master Boot Record bootkits for injecting a malicious loader in a manner to evade security tools.
The latest feature to be added is the ability to deploy a UEFI bootkit to load FinSpy, with new samples exhibiting properties that replaced the Windows UEFI boot loader with a malicious variant as well as boasting of four layers of obfuscation and other detection-evasion methods to slow down reverse engineering and analysis.
This enables threat actors to have control over the boot process, achieve persistence, and bypass all security defences, caution required.