Economically developed FinFisher malware now can harm Windows devices using a UEFI bootkit that it inserts in the Windows Boot Manager. FinFisher (also known as FinSpy and Wingbird) is an inspection solution generated by the Gamma Group that also arrives with malware-like capabilities often discover in spyware strains.

The developer says it’s sold completely to government agencies and law enforcement across the world, but the cybersecurity firms have also analyzed it while being transmitted through the spearphishing operations and the infrastructure of Internet Service Providers (ISPs).

Endurance and Evasiveness Powerhouse

“During the research, we discover a UEFI bootkit that was loading the FinSpy. All the machines affected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one,” security researchers revealed today.

“This method of exploitation permitted the threat actors to install a bootkit without the requirement to bypass firmware security checks. UEFI infections are very rare and generally hard to run, and then they stand out due to their prevarication and persistence.”

The Unified Extensible Firmware Interface (UEFI) firmware permits for highly persistent bootkit malware as it’s installed within the SPI flash storage soldered to computers’ motherboard making it is impossible to get rid of through hard drive replacement or even OS re-installation.

Rootkits are malicious code planted in the firmware invisible to protecting solutions within the operating system since it’s designed to load before everything else, in the starting stage of a device’s booting sequence.

They facilitate threat actors with control over the operating systems since it’s designed to load before everything else, in the starting stage of a device’s booting sequence. They facilitate the threat actor with control over an operating systems’ boot process and make it possible to destruction OS defenses bypassing the Secure Boot mechanism depending on the system’s boot security mode (allowing the “full boot” or “through boot” mod would block the malware as the NSA explains).

Publicly documented attacks and malware using boot kits in the wild are extremely rare — Lojax used by the Russian-backed APT28 hacker group, MosaicRegressor was deployed by Chinese-speaking hackers, TrickBot’s TrickBoot module, and Moriya which Chinese-speaking threat actors likely used for espionage since 2018.

“While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine,” the researchers added.

Older computers that don’t come with UEFI support were infected using a similar tactic, through the MBR (Master Boot Record) with a bootkit first detected in 2014.    

New Obfuscation and Anti-Analysis Measure

For other malware samples used in the attacks analyzed by Kaspersky, the spyware’s developers also used four layers of obfuscation and anti-analysis measures designed to make FinFisher one of the “hardest-to-detect spywares to date.”

Their efforts were highly effective since the malware samples could evade almost any detection attempt and were virtually impossible to analyze (every sample spotted by our experts required “overwhelming” amounts of work to unscramble).

“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” added Igor Kuznetsov, a principal security researcher at Global Research and Analysis Team (GReAT).

“It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect.”

You can find further details and indicators of compromise (IOCs) related to FinFisher’s Windows, Linux, and macOS infection vectors at the end of the security report.