Follow us

Your Windows UEFI bootKit might be infected by FinSpy Malware

FinSpy now affects the bootloader itself, making it harder to detect and sometimes obfuscating itself if found.

Updated: October 11, 2021 By Ozair Malik

Image showing security admins getting alerts of Spyware from monitoring systems

Image source—freepik.com

It is allegedly stated that FinSpy software was sold to the Egyptian government Hosni Mubarak to spy on dissidents and by the Bahraini government to spy on Bahraini activists in Britain – the latter resulting in the software having been found in breach of human rights.

FinSpy was thought to be lost and taken care of by the researchers at Kaspersky. Still, after following an eight-month investigation led by Kaspersky, it has been seen that it did not disappear but was only hiding in the dark, making itself much stronger and harder to detect. It has now been witnessed to affect the UEFI BootKit of the Windows machine.

In this image, we have a UEFI interface and files. It shows the FinSpy Trojan present in the files and how it has replaced Boot Loader

Image source — microsoft.blog.com

What is FinSpy?

FinSpy (also known as FinFisher or Wingbird) first emerged in 2011. It was made by a German-based company known as "Gemma international." Its objectives were to steal data or hijack the computer systems taking valuable information.

Later on, it got updated, and then it started infecting itself with applications and software like the microphone. This malware was marketed to law enforcement channels nationwide for espionage and was a profit-based software.

The corporate claims to sell this software only to law enforcement agencies.  However, cyber security researchers have also discovered it spreading through spearfishing campaigns and the infrastructure of Internet Service Providers (ISP).

FinSpy spotted in other applications

Before it was detected in UEFI, researchers also found out in the middle of 2019 that the FinFisher malware was also present in installers for legitimate installers like TeamViewer, VLC Media Player, and WinRAR.

UEFI bootKit

Unified Extensible Firmware Interface, commonly known as UEFI, is low-level software that starts when a computer is turned on. Unlike BIOS, it is a newer version, and nowadays, it comes preinstalled. It checks system hardware and sees if they are working properly or not. Currently, new computers come with UEFI boot, and if a laptop still says BIOS, it is UEFI so that no confusion occurs for the user. BIOS will soon be dead.

Findings of FinSpy

It took Kaspersky researchers based in Moscow eight months to reverse engineer this new stealthy malware. And in their research, they found this new UEFI bootkit variant which had to obfuscate (encrypting malware) layer technique to hide. This project was started in 2019, and finally, Kaspersky has shared its findings today.

This was one of the most complicated cases for us as researchers; they made a lot of effort just to hide everything, even from forensic activities. 
UEFI infections are very rare and generally hard to execute; they stand out due to their evasiveness and persistence.

Igor Kuznetsov, a principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT)

It is stated that this new spyware has been seen targeting activists, journalists, and dissidents worldwide.

Working of FinSpy in UEFI

When a machine is turned on, Windows Boot Manager Loads up the UEFI firmware and performs further checks.

What FinSpy did was that it did not infect the UEFI firmware itself but replaces a malicious code in Windows Boot Manager (bootmgfw. efi) which infects the machine. When UEFI transfers execution to the malicious loader, it firsts looks for the original Boot Loader.

Since it has been replaced, so the malicious code executes. It is stored inside the efi\microsoft\boot\en-us\directory, with the name consisting of hexadecimal characters. This directory contains two files: the Winlogon Injector and the Trojan Loader. The malicious code was installed on a separate partition, which made it bypass firmware security check, and as a result, it could control the machine's boot process.

On previous computers or machines that did not support UEFI, It was seen by researchers that infections were found in the MBR (Master Boot Record)

Evasion technique or anti-analysis measures

The FinSpy malware, since its upgrade, has had new changes to its code which took us enormous power to crack the code. Hence FinSpy malware is the hardest to detect spyware up to date. When a victim downloads, the researchers see the Trojan two things. They found that the code had two techniques that bypassed the security, namely "pre-validator" and "post-validator."

Pre-Validator

Pre-validator performs multiple checks to see if the machine does not belong to a security researcher.

It downloads a host of security shellcodes from the command and control server and executes all 33 of them. Each shellcode collects specific valuable information (e.g., the current process name), which sends back to the server. If any of the checks fail, the command and control server terminates the infection process leaving no trace behind.

Post-Validator

When all the checks are passed in phase one, then the post-validator is executed. Post-validator checks that the machine is the one that was targeted. If it does not, then the process stops; otherwise, the post-validator infects the Trojan itself.

Trojan

The spyware gathers Intel from the infected machine such as credentials, file listings, deleted files, documents, live streaming or recording data, webcam microphone access, and employs the "developer mode" of the browser to hijack and intercept HTTPS traffic coming and going on the machine.

One of the plug-ins is used to steal all the encrypted keys through user’s traffic so that all of this can be decrypted and used in the developer's mode. Developer’s mode allows them to write all the keys on disk for the hackers use.

The Trojan only executes a little peace in the code. This results in safety because even if a forensic expert makes a live memory image, he would still blank. After all, every page will come encrypted, and only one module was responsible for this attack.

It is unusual to use multilayer obfuscation, encryption, and a large amount of code in its platform. Usually [with malware attacks] we either have a lot of obfuscation and not much business logic, or we have big enterprise code with a huge infrastructure, but that is not obfuscated," he says. "Managing both obfuscation and encryption and maintaining that amount of code is complicated.

Kaspersky researchers say

Safety measures

According to NSA, enabling "full boot" or "thorough boot," mod would block the malware. Kaspersky has stated that anyone looking to protect their computer should not download software from untrusted links and follow only trusted software. Look out for unsolicited links, have a strong endpoint connection .Also, Keep your OS or software up to date. And finally, spread cybersecurity awareness amongst others.

Conclusion

FinSpy is indeed very dangerous spyware because of its protection techniques.

It's hard to crack and get founded. Kaspersky did not disclose the information of infected with this, but they indeed shared this with the public. It can be seen that hackers are getting better day by day, but researchers worldwide have not given up and are still fighting this war. This spyware should encourage people to share information to deploy better defense mechanisms.

Tags: 
News
Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Leave a comment

click to select