SYMBOLCOMMON_NAMEaka. SYNONYMS
win.finfisher (Back to overview)

FinFisher RAT

aka: FinSpy

FinFisher is a commercial software used to steal information and spy on affected victims. It began with few functionalities which included password harvesting and information leakage, but now it is mostly known for its full Remote Access Trojan (RAT) capabilities. It is mostly known for being used in governmental targeted and lawful criminal investigations. It is well known for its anti-detection capabilities and use of VMProtect.

References
2020-10-14Netzpolitik.orgAndre Meister
@online{meister:20201014:german:be3eea7, author = {Andre Meister}, title = {{German Made State Malware Company FinFisher Raided}}, date = {2020-10-14}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/}, language = {English}, urldate = {2020-10-15} } German Made State Malware Company FinFisher Raided
FinFisher FinFisher FinFisher FinFisher RAT
2020-09-25Amnesty InternationalAmnesty International
@online{international:20200925:germanmade:49d85d3, author = {Amnesty International}, title = {{German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed}}, date = {2020-09-25}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/}, language = {English}, urldate = {2020-09-25} } German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed
FinFisher FinFisher FinFisher FinFisher RAT
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2018-03-01MicrosoftOffice 365 Threat Research Team, Microsoft Defender ATP Research Team
@online{team:20180301:finfisher:e1de78f, author = {Office 365 Threat Research Team and Microsoft Defender ATP Research Team}, title = {{FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines}}, date = {2018-03-01}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/}, language = {English}, urldate = {2020-01-08} } FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines
FinFisher RAT
2018-01-24ESET ResearchFilip Kafka
@techreport{kafka:20180124:esets:246a0d4, author = {Filip Kafka}, title = {{ESET’S GUIDE TODEOBFUSCATING AND DEVIRTUALIZING FINFISHER}}, date = {2018-01-24}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf}, language = {English}, urldate = {2020-01-13} } ESET’S GUIDE TODEOBFUSCATING AND DEVIRTUALIZING FINFISHER
FinFisher RAT
2018-01-23Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20180123:walkthrough:afbbb08, author = {Rolf Rolles}, title = {{A Walk-Through Tutorial, with Code, on Statically Unpacking the FinSpy VM: Part One, x86 Deobfuscation}}, date = {2018-01-23}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation}, language = {English}, urldate = {2020-01-08} } A Walk-Through Tutorial, with Code, on Statically Unpacking the FinSpy VM: Part One, x86 Deobfuscation
FinFisher RAT
2017-10-16Kaspersky LabsGReAT
@online{great:20171016:blackoasis:b447418, author = {GReAT}, title = {{BlackOasis APT and new targeted attacks leveraging zero-day exploit}}, date = {2017-10-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/}, language = {English}, urldate = {2019-12-20} } BlackOasis APT and new targeted attacks leveraging zero-day exploit
FinFisher RAT BlackOasis
2017-09-21ESET ResearchFilip Kafka
@online{kafka:20170921:new:8bcb309, author = {Filip Kafka}, title = {{New FinFisher surveillance campaigns: Internet providers involved?}}, date = {2017-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/}, language = {English}, urldate = {2019-11-14} } New FinFisher surveillance campaigns: Internet providers involved?
FinFisher RAT
2017-09-12FireEyeBen Read, Genwei Jiang, James T. Bennett
@online{read:20170912:fireeye:60e2846, author = {Ben Read and Genwei Jiang and James T. Bennett}, title = {{FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY,FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY}}, date = {2017-09-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html}, language = {English}, urldate = {2019-12-20} } FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY,FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
FinFisher RAT BlackOasis
2017-07-18ElasticAshkan Hosseini
@online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2017-01-13Artem Baranov
@online{baranov:20170113:finfisher:436b89e, author = {Artem Baranov}, title = {{Finfisher rootkit analysis}}, date = {2017-01-13}, url = {https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html}, language = {English}, urldate = {2019-11-26} } Finfisher rootkit analysis
FinFisher RAT
2014-10-02CodeAndSecCodeAndSec
@online{codeandsec:20141002:finfisher:3b1d9c1, author = {CodeAndSec}, title = {{FinFisher Malware Analysis - Part 2}}, date = {2014-10-02}, organization = {CodeAndSec}, url = {https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2}, language = {English}, urldate = {2020-03-19} } FinFisher Malware Analysis - Part 2
FinFisher RAT
Yara Rules
[TLP:WHITE] win_finfisher_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_finfisher_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 56 8d85ccf9ffff 50 }
            // n = 4, score = 200
            //   57                   | push                edi
            //   56                   | push                esi
            //   8d85ccf9ffff         | lea                 eax, [ebp - 0x634]
            //   50                   | push                eax

        $sequence_1 = { 68???????? 6804010000 8d85ccf9ffff 50 }
            // n = 4, score = 200
            //   68????????           |                     
            //   6804010000           | push                0x104
            //   8d85ccf9ffff         | lea                 eax, [ebp - 0x634]
            //   50                   | push                eax

        $sequence_2 = { 3bde 0f8583030000 66c78572f7ffff0401 8d85dcfdffff 898574f7ffff 8d8548f7ffff }
            // n = 6, score = 100
            //   3bde                 | cmp                 ebx, esi
            //   0f8583030000         | jne                 0x389
            //   66c78572f7ffff0401     | mov    word ptr [ebp - 0x88e], 0x104
            //   8d85dcfdffff         | lea                 eax, [ebp - 0x224]
            //   898574f7ffff         | mov                 dword ptr [ebp - 0x88c], eax
            //   8d8548f7ffff         | lea                 eax, [ebp - 0x8b8]

        $sequence_3 = { c745fcfeffffff 6a10 56 56 6a01 56 ffb5bcf7ffff }
            // n = 7, score = 100
            //   c745fcfeffffff       | mov                 dword ptr [ebp - 4], 0xfffffffe
            //   6a10                 | push                0x10
            //   56                   | push                esi
            //   56                   | push                esi
            //   6a01                 | push                1
            //   56                   | push                esi
            //   ffb5bcf7ffff         | push                dword ptr [ebp - 0x844]

        $sequence_4 = { 50 ff15???????? eb05 b8010000c0 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   eb05                 | jmp                 7
            //   b8010000c0           | mov                 eax, 0xc0000001

        $sequence_5 = { 53 53 894004 8900 ff15???????? 898604010000 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   894004               | mov                 dword ptr [eax + 4], eax
            //   8900                 | mov                 dword ptr [eax], eax
            //   ff15????????         |                     
            //   898604010000         | mov                 dword ptr [esi + 0x104], eax

        $sequence_6 = { 0f8504010000 83bd40f2ffff02 7528 6a59 ff15???????? 85c0 }
            // n = 6, score = 100
            //   0f8504010000         | jne                 0x10a
            //   83bd40f2ffff02       | cmp                 dword ptr [ebp - 0xdc0], 2
            //   7528                 | jne                 0x2a
            //   6a59                 | push                0x59
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_7 = { 663bca 7407 43 43 895de0 }
            // n = 5, score = 100
            //   663bca               | cmp                 cx, dx
            //   7407                 | je                  9
            //   43                   | inc                 ebx
            //   43                   | inc                 ebx
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx

        $sequence_8 = { 75f6 2bc2 d1f8 8d8445dcfdffff eb02 48 }
            // n = 6, score = 100
            //   75f6                 | jne                 0xfffffff8
            //   2bc2                 | sub                 eax, edx
            //   d1f8                 | sar                 eax, 1
            //   8d8445dcfdffff       | lea                 eax, [ebp + eax*2 - 0x224]
            //   eb02                 | jmp                 4
            //   48                   | dec                 eax

        $sequence_9 = { ff7644 53 e8???????? 8b06 85c0 7407 }
            // n = 6, score = 100
            //   ff7644               | push                dword ptr [esi + 0x44]
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9

        $sequence_10 = { 6a04 8d4510 50 684014fe00 8d4508 }
            // n = 5, score = 100
            //   6a04                 | push                4
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   50                   | push                eax
            //   684014fe00           | push                0xfe1440
            //   8d4508               | lea                 eax, [ebp + 8]

        $sequence_11 = { 8b00 35???????? a3???????? 7507 8bc1 a3???????? f7d0 }
            // n = 7, score = 100
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   35????????           |                     
            //   a3????????           |                     
            //   7507                 | jne                 9
            //   8bc1                 | mov                 eax, ecx
            //   a3????????           |                     
            //   f7d0                 | not                 eax

        $sequence_12 = { 8d5910 eb20 8b13 8b750c 81e2ffffff7f 035510 0fb70a }
            // n = 7, score = 100
            //   8d5910               | lea                 ebx, [ecx + 0x10]
            //   eb20                 | jmp                 0x22
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   81e2ffffff7f         | and                 edx, 0x7fffffff
            //   035510               | add                 edx, dword ptr [ebp + 0x10]
            //   0fb70a               | movzx               ecx, word ptr [edx]

        $sequence_13 = { 8b450c 8985b0f7ffff bb020000c0 33f6 89b5a0f7ffff }
            // n = 5, score = 100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8985b0f7ffff         | mov                 dword ptr [ebp - 0x850], eax
            //   bb020000c0           | mov                 ebx, 0xc0000002
            //   33f6                 | xor                 esi, esi
            //   89b5a0f7ffff         | mov                 dword ptr [ebp - 0x860], esi

    condition:
        7 of them and filesize < 262144
}
[TLP:WHITE] win_finfisher_w0   (20170517 | FinFisher FinSpy)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_finfisher_w0 {
    meta:
        description = "FinFisher FinSpy"
	    author = "botherder https://github.com/botherder"
	    source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/FinSpy.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $password1 = /\/scomma kbd101\.sys/ wide ascii
        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
        $password3 = /\/scomma excel2010\.part/ wide ascii
        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
        $password6 = /\/scomma MSN2010\.dll/ wide ascii
        $password7 = /\/scomma Firefox\.base/ wide ascii
        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
        $password9 = /\/scomma IE7setup\.sys/ wide ascii
        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
        $password11 = /\/scomma office2007\.cab/ wide ascii
        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
        $password13 = /\/scomma outlook2007\.dll/ wide ascii
        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii

        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
        $screenrec7 = /(v)112O00000000\.dat/ wide ascii

        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii

        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii

        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
        $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii

        $mouserec1 = /(m)sc183Q000\.dat/ wide ascii
        $mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii

        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii

        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii

        $versions1 = /(f)inspyv2/ nocase
        $versions2 = /(f)inspyv4/ nocase

        $bootkit1 = /(b)ootkit_x32driver/
        $bootkit2 = /(b)ootkit_x64driver/

        $typo1 = /(S)creenShort Recording/ wide

        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide

    condition:
        8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
}
[TLP:WHITE] win_finfisher_w1   (20170517 | FinFisher FinSpy)
rule win_finfisher_w1 {
    meta:
        description = "FinFisher FinSpy"
        author = "AlienVault Labs"
	    source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/FinSpy.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $filter1 = "$password14"
        $filter2 = "$screenrec7"
        $filter3 = "$micrec"
        $filter4 = "$skyperec3"
        $filter5 = "$mouserec2"
        $filter6 = "$driver"
        $filter7 = "$janedow2"
        $filter8 = "$bootkit2"

        $password1 = /\/scomma kbd101\.sys/ wide ascii
        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
        $password3 = /\/scomma excel2010\.part/ wide ascii
        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
        $password6 = /\/scomma MSN2010\.dll/ wide ascii
        $password7 = /\/scomma Firefox\.base/ wide ascii
        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
        $password9 = /\/scomma IE7setup\.sys/ wide ascii
        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
        $password11 = /\/scomma office2007\.cab/ wide ascii
        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
        $password13 = /\/scomma outlook2007\.dll/ wide ascii
        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii

        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
        $screenrec7 = /(v)112O00000000\.dat/ wide ascii

        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii

        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii

        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
        //$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii

        //$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
        //$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii

        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii

        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii

        //$versions1 = /(f)inspyv2/ nocase
        //$versions2 = /(f)inspyv4/ nocase

        $bootkit1 = /(b)ootkit_x32driver/
        $bootkit2 = /(b)ootkit_x64driver/

        $typo1 = /(S)creenShort Recording/ wide

        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide

    condition:
        (8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
}
Download all Yara Rules