Who is using the commercial cyberespionage tool FinFisher?

Malware development has long stopped being the exclusive domain of individuals and groups looking for strictly fame or money.

As years passed and everybody and everything went online, governments and intelligence agencies have also discovered the immense possibilities of using legal (or not) malware to spy on its potential enemies.

Sometimes they backed the development of the malware directly – as, it seems, happened with the creation of Stuxnet, Duqu, Flame and the recent Gauss Trojan. And sometimes they use cyberespionage tools legally offered by companies such as the Gamma Group International, a British firm that sells surveillance and monitoring solutions to national and state intelligence departments and law enforcement agencies.

One of the solutions sold by the company is FinFisher, a piece of spyware that records chats, screenshots, keystrokes, grabs other information from infected systems and passes it on to its operators, and is (was?) capable of hiding its presence from over 40 AV products on the market.

The name and the product became more familiar to the general public when Egyptian protesters discovered an offer to buy the tool among the documents found during a raid of the the country’s state security headquarters.

Security researchers have long wanted to analyze FinFisher, but until recently couldn’t get their hands on a sample. That all changed when two pro-democracy Bahraini activists reported receiving emails they suspected was carrying malware. And they were right.

According to Nicole Perlroth, two security researchers from Toronto analyzed the emails’ payload and discovered FinSpy, which is part of the FinFisher spyware tool kit, and that it is used purposes other than pinpointing criminal activities.

Gamma Group immediately piped up to say that they did not sell any of their products to Bahrain, and that the analyzed sample was probably stolen or a result of reverse-engineering efforts.

Subsequently, Rapid7 researchers also analyzed it, and discovered that the C&C server to which machines infected with this FinFisher sample report back to responds to HTTP requests in a certain way. This fact allowed them to pinpoint 11 IP addresses/ C&C servers around the world that responded in the same way.

These servers – located in Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, USA, Mongolia, Latvia and Dubai – have since then stopped responding to these requests, bringing up the possibility that their operators are aware of the media attention the spyware is getting and have updated the servers.

It’s impossible to tell for sure whether the servers in question are used by government agencies.

The researchers point out that the aforementioned statement from Gamma Group does not seem likely to be true.

The knowledge and sophistication required to develop (or reverse-engineer) the spyware cannot be seen in the current distribution attempts, they say, and that means it’s unlikely that the developers and the distributors are not the same individuals or group.