The Dissection of Guts FinFisher


Microsoft researchers published an article on March 1 after they investigated FinFisher, which is meant to be a solution built by Germany-based FinFisher GmbH. It has been accused as a spying tool for a long time and it is used by some organizations with surveillance operations.
As mentioned by Microsoft researchers, Windows Defender ATP is able to track FinFisher spyware. Although they were able to track it, they claimed that is very intricate to the extent that the researchers had to follow some special techniques.

FinFisher’s Dissection

As mentioned earlier, it is very intricate since I has many evasion abilities that makes it difficult to track it. It has “spaghetti code”, junk instructions that mislead their trace. It makes the program very difficult to read and is able to confuse anyone trying to track the program. Many researchers tried reversing plugins to unscramble the code, but as the code is very complex, their trials failed. Accordingly, Microsoft researchers developed their unique tool writtin in IDA python to break this code.
As the code had to be transformed to something understandable, many trials were attempted, even if they are not novel. Accordingly, an array of opcode instructions by the spyware was detected along with 32 unique routines that were able to produce different opcodes. Anti-debug and anti-analysis trickery were used to prevent any dynamic analysis of the code were the researchers mentioned that
“Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM. […] The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization (ASLR). It is also able to move code execution into different locations if needed,”

FinFisher’s Multiple Deployment Stages

The implementations take several stages, and the first stage includes detecting sandbox environments using a unique loader. The loading step is accompanied with reading imported libraries from .dll extensions and traces them in the memory. The second stage the program executes farther anti-sandbox checks to make sure that there are no remaining security products.
After that, a new stage takes place with a virtual machine program which was mentioned by the research team as follows:
“The 32-bit stage 2 malware uses a customized loading mechanism (i.e., the PE file has a scrambled IAT and relocation table) and exports only one function. For the 64-bit stage 2 malware, the code execution is transferred from the loader using a well-known technique called Heaven’s Gate,”

The next stage includes FinFisher setup where no further codes are added, they are installed in a UAC-enforced surrounding. At the same time, payloads are situated under a folder in the Local Disk C in ProgramData or in the user application data folder.
Finally, the malware is run. The researchers spent much effort to make accurate investigation of FinFisher and yet it is still very horrifying. As a very complex program, you can never expect its next move or development. The last step makes a Structured Exception Handler routine to make the program proceed in a sneaky fashion.

Related Article: Backdoored Agent Engendering Dofoil Infection