News Categories

ESET: Possible links between ISPs and FinFisher spyware

By Chong Jinn Wei - on 24 Sep 2017, 1:00am

ESET: Possible links between ISPs and FinFisher spyware

The infection mechanism of recent FinFisher variants. <br>Image source: ESET.

IT security firm ESET reported that certain internet service providers (ISPs) may have strong involvements with the distribution of FinFisher (a.k.a. FinFly) spyware in certain countries.

FinFisher is a type of spyware that breaches victims’ privacy by accessing private files, microphone conversations, and webcam videos from their computer. Unlike other spyware, FinFisher has sometimes been marketed as a law enforcement tool, implemented by oppressive regimes to monitor dissenters or citizens with differing views.

From ESET’s recent findings, similar patterns were discovered in at least two of seven countries suffering from FinFisher spyware attacks. ESET believes that the distribution of FinFisher is only possible if there is a ‘middle man’ operating on the ISP level.

ESET reports that victims’ computers are infected when they download popular programs or apps, such as WhatsApp, WinRAR, VLC Player, or even Avast. The perplexing thing is that they were all downloaded from legitimate websites.

A diagram showing how victims are infected by the FinFisher spyware <br>Image source: ESET.

The attack begins when they click on the download link; however, the link has been modified to be redirected to a server hosting a trojanized installation package. When a victim downloads and executes the package, it not only installs the legitimate program, but also the FinFisher spyware bundled within.

This redirected link is sent to a victim’s browser through a HTTP 307 Temporary Redirect status response code, which indicates that a requested content has been temporarily moved to a new URL. Unfortunately, this redirection happens without the victim’s knowledge, and is difficult to discern to the naked eye.

The redirection is only possible if it is implemented on an ISP level of that particular country. To support this theory, ESET cites a number of leads:

1) A WikiLeaks article about a FinFisher maker discussing 'FinFly ISP' to be deployed on ISP networks,

2) The HTTP 307 redirect technique was implemented in the previously mentioned two countries,

3) Affected victims within a country were using the same ISP,

4) The same redirection method was used in at least one country trying to filter content on the internet through ISPs.

To ensure you computer is not infected, all ESET products can detect and block threats, such as Win32/FinSpy.AB and Win32/FinSpy.AA . ESET’s Free Online Scanner can also check your computer for unwanted presence and subsequently remove it if detected.

For more Tech News, please follow us here.