7. Product Capabilities
7
Product Name
Description
FinSpy Mobile
Offers ability to compromise target’s mobile phone: BlackBerry, iOS, Android.
FinSpy
Refers to the suite of FinFly offerings enumerated below.
FinFly USB
Requires direct access to machine. Can extract and infect.
FinFly FireWire
Requires direct access to machine. Can extract and infect.
FinFly LAN
Requires direct access to the target LAN. Can perform various MITM activities.
FinFly NET
Requires that target visit a network that is in the control of the attacker. Can perform various MITM activies.
FinFly ISP
Attacks the target’s ISP. Can MITM either before hitting the ISPs core network, or afterward.
FinFly Web
Attempts to deploy malware to targets through various web-based attack vectors.
FinFly Exploit Portal
Basically an online repository of 0-days and 1-days that paying customers can integrate into their attacks on targets and deploy to said targets using various other FinFly offerings.
10. Dropper
Malware extracts two of the PE resources from itself (using PE traversal manually) and deobfuscates them using a simple XOR algorithm. One of the resources deobfuscates to a JPEG file that is then used as a replacement to the original sample file The other resource is a PE file that is later loaded into the current process’s address space using a custom PE loader
10
11. Dropper
Start with the key bytes and XOR that with the first 4 bytes.
XOR the next 4 bytes with the (obfuscated) previous 4 bytes.
11
14. Payload Extraction
Decrypt the resources : - Test.exe (main component) - driverw.sys : named “Microsoft Disk Driver” - shell32.dll - msvcr90.dll - … Put into %TEMP% and execute using ShellExecuteW API
14
15. Features in the payload
15
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
16. Shell32.dll
16
Inject msvcr90.dll into another process
Detect Firewalls/AVs (Comodo, KAS)
Inject code into explorer.exe
17. OS Version
17
Malware checks OS version : - 32-bit : continue to decrypt 32-bit modules - 64-bit : creates a new x64 malware in %TEMP% folder, CreateProcess to execute and terminates itself
18. msvcr90.dll
18
Packed and encrypted tiny DLL
Only decrypt in memory
it does act as an internet proxy
Create serveral threads :
- one for checking injection
- one for injecting into Windows task manager and Sysinternals process explorer (32 and 64 bit)
- one for injecting into all processes
- …
19. The injected code
The injected codedoes inline user-mode hook in the following functions in every running process :
ntdll.dll!NtDeviceIoControlFile
ntdll.dll!NtEnumerateKey
ntdll.dll!NtEnumerateValueKey
ntdll.dll!NtQueryDirectoryFile
ntdll.dll!NtQueryKey
ntdll.dll!NtQuerySystemInformation
19
kernel32.dll!CreateFileW kernel32.dll!CreateProcessInternalW kernel32.dll!MoveFileW kernel32.dll!DeleteFileW kernel32.dll!MoveFileExW …
24. iOS version
iOS version is developed for Arm7, built against iOS SDK 5.1 on OSX 10.7.3 and it appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up
24
25. iOS version
The code signature contains 3 certificates: Certificate “Apple Root CA”: Will expire on 09.02.2035. Your keychain contains this root certificate. Certificate “Apple Worldwide Developer Relations Certification Authority”: Will expire on 14.02.2016. Certificate “iPhone Distribution: Martin Muench”: Will expire on 03.04.2013. SHA1 fingerprint: “1F921F276754ED8441D99FB0222A096A0B6E5C65”.
25
30. Windows Mobile version
30
AddressBook: Providing exfiltration of details from contacts stored in the local address book. CallInterception: Used to intercept voice calls, record them and store them for later transmission. PhoneCallLog: Exfiltrates information on all performed, received and missed calls stored in a local log file. SMS: Records all incoming and outgoing SMS messages and stores them for later transmission. Tracking: Tracks the GPS locations of the device.
32. Windows Mobile version
32
In order to manipulate phone calls, the malware makes use of the functions provided by RIL.dll, the Radio Interface Layer.
36. Symbian version
As mentioned in the security section of the Nokia developer notes for Symbian: “Trusted UI dialogs are rare. They must be used only when confidentiality and security are critical: for instance for password dialogs. Normal access to the user interface and the screen does not require this.” The second file (“mysym.sisx”) is “Installation File” and appears to be signed by the “Symbian CA I” for “Cyan Engineering Services SAL (offshore),”
36
37. C&C Servers
Two servers in Brunei One in Turkmenistan’s Ministry of Communications Two in Singapore, One in the Netherlands A new server in Indonesia A new server in Bahrain
37