UEFI Bootkits Now Used to Spread the FinSpy Surveillance Malware

UEFI Bootkits Now Used to Spread the FinSpy Surveillance Malware

FinSpy, the malicious spyware, has been updated for use in UEFI bootkits. Also known as Wingbird/FinFisher, it is a surveillanceware whose Windows desktop-based implants were discovered in 2011 and mobile implants a year later.

In 2019, Kasperksy researchers discovered fresh, updated Android and iOS samples, as well as evidence of persistent infections in Myanmar. The use of the spyware was also linked to the Indonesian government.

According to Kaspersky researchers, detection rates for Windows FinSpy infections have been continuously decreasing over the last three years. That’s why the malware has been upgraded by its authors, and new PC infection vectors have been added to it.

The virus is no longer just distributed through Trojanized installers. Its creators introduced Master Boot Record (MBR) bootkits in 2014 to ensure malicious malware is loaded as soon as possible on an infected computer.

The researchers reveal that FinSpy’s arsenal now includes Unified Extensible Firmware Interface (UEFI) bootkits as well. However, the virus will check for the availability of a virtual machine (VM). If one is discovered, it will simply provide a shellcode, most likely to evade reverse engineering attempts.

UEFI systems are essential for computer systems because they help load operating systems. The FinSpy bootkit was different from the standard version, and only administrator rights were required to install it.

Researchers were able to deduce the functioning of FinSpy thanks to a sample of a UEFI bootkit that loaded it. The Windows Boot Manager (bootmgfw.efi) got substituted with a malignant variant. Two encrypted files, a Winlogon Injector and the Trojan’s main loader were also activated when it was loaded.

The payload of FinSpy is encrypted. After a user signs in, the loader is injected into winlogon.exe, allowing the Trojan to be decrypted and extracted.

Even if a target computer is too old to support UEFI, it isn’t immune to infection. FinSpy will instead use the MBR to target the machine. The malware will likely infect 32-bit devices.

The malware may capture and exfiltrate a wide range of information from an infected computer, including OS information, locally stored media, search history, browser and VPN credentials, Microsoft product keys, Skype recordings, Wi-Fi passwords, SSL keys, and much more.

FinSpy will watch contact lists, SMS messages, files in memory, email content, and GPS locations on mobile devices. Furthermore, the virus may listen in on VoIP conversations and snoop through material sent through applications like Facebook Messenger, Skype, WhatsApp, Signal, and WeChat.

FinSpy for macOS has only one installation, and the same is true for Linux. The infection vector utilized to transmit FinSpy in the latter scenario, on the other hand, is presently unclear. However, it is assumed that physical access is necessary.

It is like a “never-ending tale,” and the operators are likely to “keep improving their infrastructure.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.