FinFisher

The October 2024 European Commission guidelines define listed export controls for six types of surveillance technology, including intrusion software: “software that allows operators to covertly and remotely access electronic devices, in order to obtain data, track users or eavesdrop using a device's built-in microphone or cameras.”

Bootable USB Key Failure FinSpy Version 3.0. When building an infection and requesting creation of a bootable usb key... | Unable to create bootable iso image and bootable infection dongle ... tried both bootable iso image and bootable infection dongle

ClamAV blocked Webinfection ... silently were blocking our injected Javascript Code. as soon as the AV was disabled, the injected code was executed. | FinFly Web ... I tried updating it online but I get a /.../bin/update not accessible message.

At the time, members of the advocacy group Bahrain Watch in Washington, D.C., and London had been targeted via email by what appeared to be malware.

Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology.

It is more likely to be installed by sending a deceptive link to the target. | And make sure your employees are all freshly trained on the do's and don'ts of malware infection paths and protection strategies, like clicking on links in email (that's a don't)

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. | Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities... malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology... the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2012-0158, CVE-2018-4878, CVE-2017-8759, and CVE-2015-1641. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology.

After the attachment was opened, FinSpy was surreptitiously downloaded onto his computer from a server located at an Ethiopian IP address.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

USB Infection Generation ERROR ... 1- Master Boot record of HD ... we totally need the first option to be active while the generation.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Kaspersky warning FinSpy Trojan installs but give a warning on every boot, process id xxx is trying to inject into another process.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Add flag to put rootkit asleep and to waken the rootkit FinSpy | Add flag to put rootkit asleep and to waken the rootkit ... putting the rootkit asleep at the last day of the warrant, and waken the rootkit again

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

Request for relay software without branding ... without branding, eg, Gamma, Finspy, relay, ffrelay. The logging should not have the branding as well. | Customized Metadata selection of a trojan+Icon Changer ... metadata in the properties of the file show random association with another software... option of ICON CHANGER

Akira has used legitimate names and locations for files to evade defenses.

Kaspersky warning FinSpy Trojan installs but give a warning on every boot, process id xxx is trying to inject into another process.

Possibility of removing Collected Data from the Target before transfer to Server

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

USB Infection Generation ERROR ... 1- Master Boot record of HD ... we totally need the first option to be active while the generation.

Trojen detected by AntiVirus FinFly Web ... the trojen popup comes behind the Youtube video in the self created website and in some websites the trojen does not appear at all.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

It would be good to have a module which can sniff HTTP/S connections for HTTP/S POST parameters and their contents.

Keylogger doesnt catch Fn keys ... Keylogger export ... Unable to retrieve Keylogger data | keylogger mixup FinSpy When visualizing data, the keylogger module does not show the correct information.

FinSpy can also record Internet telephone calls, text messages, and file transfers transmitted through Skype

Browser Password Retrieval ... Browsers change their behaviors in terms of storing passwords ... 3rd party passwords storages instead of the internal browser storage e.g. like LastPass

Shall we copy again communication keys from ./finspy_master/data/certs from offline to remote master?

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

It would be good to have a module which can sniff HTTP/S connections for HTTP/S POST parameters and their contents.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

Bootable USB Key Failure FinSpy Version 3.0. When building an infection and requesting creation of a bootable usb key... | Unable to create bootable iso image and bootable infection dongle ... tried both bootable iso image and bootable infection dongle

recover non-downloaded data from the target machine ... file access module ... download selected files

Keylogger doesnt catch Fn keys ... Keylogger export ... Unable to retrieve Keylogger data | keylogger mixup FinSpy When visualizing data, the keylogger module does not show the correct information.

timestamp screenshots FinSpy ... screenshots taken from the target are not individually timestamped. | Title based screen recording ... Dual Screen Capture ... screenshots taken from the target

Clipboard recording FinSpy Clipboard recording modules would be useful to an investigation.

Security researchers who studied the spyware last month said it can ... remotely turn on cameras and microphones...

web camera FinSpy Web camera module is not working ... Request for capturing single frames with the Webcam | Webcam does not work FinSpy ... The webcam of HP Pavilion dv6 laptop did not work.

screen recording zip archiving have issue ... multiple zip files are created

the sample attempts to connect to both Internet-based and SMS-based command & control servers... net.rmi.device.api.fsmbb.core.com.* Appears to contain the mechanics of communication with the command & control server, including the plaintext TLV-based wire protocol. | The ‘logind’ process attempts to talk to a remote command and control server... After the user accepts these permissions, the sample attempts to connect to both Internet-based and SMS-based command & control servers.

target did successfully completed the http 3 way handshake, but after the 3 way handshake, there is an bad data request error.