Are you sure the version of WhatsApp, or Skype, or VLC Player installed on your device is legitimate?
Security researchers have discovered that legitimate downloads of several popular applications including WhatsApp, Skype, VLC Player and WinRAR have reportedly been compromised at the ISP level to distribute the infamous FinFisher spyware also known as FinSpy.
FinSpy is a highly secret surveillance tool that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies across the world.
The spyware has extensive spying capabilities on an infected computer, including secretly conducting live surveillance by turning ON its webcams and microphones, recording everything the victim types with a keylogger, intercepting Skype calls, and exfiltration of files.
In order to get into a target’s machine, FinFisher usually uses various attack vectors, including spear phishing, manual installation with physical access to the device, zero-day exploits, and watering hole attacks.
Your ISP may be Helping Hackers to Spy on You
However, a new report published today by ESET claimed that its researchers had discovered new surveillance campaigns utilizing new variants of FinFisher in seven countries, which comes bundled with a legitimate application.
But how is this happening? Attackers are targeting victims using a man-in-the-middle (MitM) attack, where the internet service providers (ISP) are most likely operating as the “middle man”—bundling legitimate software downloads with FinFisher.
“We have seen this vector being used in two of the countries in which ESET systems detected the latest FinFisher spyware (in the five remaining countries, the campaigns have relied on traditional infection vectors),” the researchers say.
Previously published documents by WikiLeaks also indicated that the FinFisher maker also offered a tool called “FinFly ISP,” which is supposed to be deployed on ISP level with capabilities necessary for performing such a MitM attack.
Also, the infection technique (using the HTTP 307 redirect) was implemented in the same way in the two affected countries ESET discovered being targeted by the new variants of FinFisher. However, the firm did not name the affected countries “as not to put anyone in danger.”
Another fact which supports the ISP-level MitM attack is that all affected targets identified by the researchers within a country were using the same ISP.
“Finally, the very same redirection method and format have been used for internet content filtering by internet service providers in at least one of the affected countries,” the ESET report reads.
The popular applications targeted by the new variants of FinFisher include WhatsApp, Skype, VLC Player, Avast and WinRAR, and the ESET researchers said, “virtually any application could be misused in this way.”
Here’s How the Attack Works:
When the target users search for one of the affected applications on legitimate websites and click on its download link, their browser is served a modified URL, which redirects victims to a trojanized installation package hosted on the attacker’s server.
This results in the installation of a version of the intended legitimate application bundled with the surveillance tool.
“The redirection is achieved by the legitimate download link being replaced by a malicious one,” the researchers say. “The malicious link is delivered to the user’s browser via an HTTP 307 Temporary Redirect status response code indicating that the requested content has been temporarily moved to a new URL.”
This whole redirection process, according to researchers, is “invisible to the naked eye” and occurs without user’s knowledge.
FinFisher Utilizing a Whole Lot of New Tricks
The new tricks employed by the latest version of FinFisher kept it from being spotted by the researchers.
The researchers also note that the latest version of FinFisher received several technical improvements in terms of stealthiness, including the use of custom code virtualization to protect the majority of its components like the kernel-mode driver.
It also makes use of anti-disassembly tricks, and numerous anti-sandboxing, anti-debugging, anti-virtualization and anti-emulation tricks, aiming at compromising end-to-end encryption software and known privacy tools.
One such secure messaging application, called Threema, was discovered by the researchers while they were analyzing the recent campaigns.
“FinFisher spyware masqueraded as an executable file named “Threema.” Such a file could be used to target privacy-concerned users, as the legitimate Threema application provides secure instant messaging with end-to-end encryption,” the researchers say.
“Ironically, getting tricked into downloading and running the infected file would result in the privacy-seeking user being spied upon.”
Gamma Group has not yet responded to the ESET report.