AL2021_32 New FinSpy Malware Variant Infects Windows Systems With UEFI Bootkit (29th September 2021)

A commercially developed FinFisher surveillance software has been enhanced to infect Windows devices using a Unified Extensible Firmware Interface (UEFI) bootkit using a trojanized Windows Boot Manager, bringing a shift in infection vectors that allow it to avoid discovery and analysis.

Summary

FinFisher also known as FinSpy or Wingbird is known as a spyware toolset for Windows, macOS, and Linux developed by Anglo-German firm Gamma International and supplied solely to law enforcement and intelligence agencies. The software is similar to the Pegasus spyware but has been allegedly used to spy on Bahraini activists in the past, as well as being used as part of a spear-phishing campaign in September 2017.

How it works

The spyware (FinFisher) is capable of gathering user credentials, file listings, sensitive documents, record keystrokes, siphon email messages from Thunderbird, Outlook, Apple Mail, and Icedove, intercept Skype contacts, chats, calls and transfer files, and capture audio and video by gaining access to a machine’s microphone and webcam.

The tool was previously positioned through tampered installers of authentic applications such as Adobe Flash Player, TeamViewer, VLC and WinRAR that were backdoored with a jumble downloader, whereby, subsequent updates in 2014 enabled infections via Master Boot Record (MBR) bootkits intending to inject a malicious loader in a manner that is engineered to slip past security tools.

One of the latest features to be added to the spyware is its ability to position a UEFI bootkit to load FinSpy, with new samples exhibiting properties that replaced the Windows UEFI boot loader with a malicious variant as well as boasting of four layers of obfuscation and other detection-evasion methods to moderate reverse engineering and analysis.

This method of infection allows attackers to install a bootkit without the need to bypass firmware security checks, which was noted by Kaspersky Global Research and Analysis team, during an eight-month-long investigation. It is also important to note that UEFI infections are very rare and generally hard to execute, it stands out due to their evasiveness and persistence.

For more information on this vulnerability, kindly follow this URL:

https://securelist.com/finspy-unseen-findings/104322/

Remediation

Currently, there is no detailed patch available for this kind of vulnerability. However, the Guyana National CIRT recommends the user use the following measures to avoid vulnerability.

  • Keep all Windows operating software updated by checking regularly for updates.

  • Use Full versions of reputable antivirus software and ensure it is always up to date.

  • Check regularly for all application software that is part of the Microsoft ecosystem and have it updated.
    PDF Download: New FinSpy Malware Variant Infects Windows Systems With UEFI Bootkit.pdf

    References