FinFisher

The October 2024 European Commission guidelines define listed export controls for six types of surveillance technology, including intrusion software: “software that allows operators to covertly and remotely access electronic devices, in order to obtain data, track users or eavesdrop using a device's built-in microphone or cameras.”

Bootable USB Key Failure FinSpy Version 3.0. When building an infection and requesting creation of a bootable usb key... | Unable to create bootable iso image and bootable infection dongle ... tried both bootable iso image and bootable infection dongle

ClamAV blocked Webinfection ... silently were blocking our injected Javascript Code. as soon as the AV was disabled, the injected code was executed. | FinFly Web ... I tried updating it online but I get a /.../bin/update not accessible message.

At the time, members of the advocacy group Bahrain Watch in Washington, D.C., and London had been targeted via email by what appeared to be malware.

Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology.

It is more likely to be installed by sending a deceptive link to the target. | And make sure your employees are all freshly trained on the do's and don'ts of malware infection paths and protection strategies, like clicking on links in email (that's a don't)

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. | Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities... malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology... the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2012-0158, CVE-2018-4878, CVE-2017-8759, and CVE-2015-1641. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology.

After the attachment was opened, FinSpy was surreptitiously downloaded onto his computer from a server located at an Ethiopian IP address.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to the BIOS, both of which begin the initial boot sequence. Because these bootkits load before the OS and most other code, they can be difficult to detect.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Kaspersky warning FinSpy Trojan installs but give a warning on every boot, process id xxx is trying to inject into another process.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Add flag to put rootkit asleep and to waken the rootkit FinSpy | Add flag to put rootkit asleep and to waken the rootkit ... putting the rootkit asleep at the last day of the warrant, and waken the rootkit again

Обфускация (T1027, Obfuscated Files) Минимальная или ProGuard Многослойная: шифрование строк, VM-упаковщик

Маскировка (T1036, Masquerading) Скрытие иконки, имя «System Service» Инъекция в легитимные процессы

Akira has used legitimate names and locations for files to evade defenses.

Kaspersky warning FinSpy Trojan installs but give a warning on every boot, process id xxx is trying to inject into another process.

Possibility of removing Collected Data from the Target before transfer to Server

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to the BIOS, both of which begin the initial boot sequence. Because these bootkits load before the OS and most other code, they can be difficult to detect.

Stalkerware скрывает иконку из launcher (T1564.001, Hidden Files and Directories), но остаётся видимым в Settings -> Apps -> Show all apps и в выводе adb shell pm list packages -3

Trojen detected by AntiVirus FinFly Web ... the trojen popup comes behind the Youtube video in the self created website and in some websites the trojen does not appear at all.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Keylogger doesnt catch Fn keys ... Keylogger export ... Unable to retrieve Keylogger data | keylogger mixup FinSpy When visualizing data, the keylogger module does not show the correct information.

FinSpy can also record Internet telephone calls, text messages, and file transfers transmitted through Skype

Browser Password Retrieval ... Browsers change their behaviors in terms of storing passwords ... 3rd party passwords storages instead of the internal browser storage e.g. like LastPass

Shall we copy again communication keys from ./finspy_master/data/certs from offline to remote master?

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

Bootable USB Key Failure FinSpy Version 3.0. When building an infection and requesting creation of a bootable usb key... | Unable to create bootable iso image and bootable infection dongle ... tried both bootable iso image and bootable infection dongle

recover non-downloaded data from the target machine ... file access module ... download selected files

Keylogger doesnt catch Fn keys ... Keylogger export ... Unable to retrieve Keylogger data | keylogger mixup FinSpy When visualizing data, the keylogger module does not show the correct information.

timestamp screenshots FinSpy ... screenshots taken from the target are not individually timestamped. | Title based screen recording ... Dual Screen Capture ... screenshots taken from the target

Security researchers who studied the spyware last month said it can ... remotely turn on cameras and microphones...

web camera FinSpy Web camera module is not working ... Request for capturing single frames with the Webcam | Webcam does not work FinSpy ... The webcam of HP Pavilion dv6 laptop did not work.

screen recording zip archiving have issue ... multiple zip files are created

the sample attempts to connect to both Internet-based and SMS-based command & control servers... net.rmi.device.api.fsmbb.core.com.* Appears to contain the mechanics of communication with the command & control server, including the plaintext TLV-based wire protocol. | The ‘logind’ process attempts to talk to a remote command and control server... After the user accepts these permissions, the sample attempts to connect to both Internet-based and SMS-based command & control servers.

C2 (T1041, Exfiltration Over C2) HTTPS к vendor-панели на shared-хостинге Зашифрованные каналы, domain fronting