Morioh
Login
Fannie Zemlak

Fannie Zemlak

3 years ago

The FinSpy commercial spyware is back in recently observed campaigns against organizations and activists in Egypt. While the spyware previously targeted Windows, iOS and Android users, researchers have discovered these campaigns using new variants that target macOS and Linux users.

FinSpy is a full-fledged surveillance software suite, which has the ability to intercept victims’ communications, access private data, and record audio and video, according to Amnesty International, which uncovered the recent new variants. It’s been in use by law-enforcement and government agencies around the world since 2011.

However, researchers recently uncovered never-before-seen FinSpy samples that have been in use in campaigns since October 2019. These samples include “Jabuka.app,” a FinSpy variant for macOS, and “PDF,” a FinSpy variant for Linux. Both were publicly disclosed Friday for the first time.

“Through additional technical investigations into this most recent variant, Amnesty’s Security Lab also discovered, exposed online by an unknown actor, new samples of FinSpy for Windows, Android, and previously undisclosed versions for Linux and MacOS computers,” said Amnesty International researchers, in a Friday analysis.

FinSpy’s Past

FinSpy has been operating since 2011, however, in recent years researchers have spotted campaigns leveraging the spyware taking more innovative approaches.

In March 2019, Amnesty International published a report analyzing phishing attacks that were targeting Egyptian human rights defenders and media and civil -ociety organizations’ staff. These attacks, carried out by a group known as “NilePhish,” distributed samples of FinSpy for Microsoft Windows through a fake Adobe Flash Player download website.

In June 2019, Kaspersky researchers said they saw new instances of the spyware within the firm’s telemetry, including activity recorded in Myanmar last month. According to Kaspersky, several dozen unique mobile devices have been infected over the past year, using revamped implants. These newer samples targeted Android and iOS devices.

New Samples

The most recent attacks published this week continue to target Egyptian civil-society organizations. Researchers said that the FinSpy sample for macOS “uses a quite complex chain to infect the system, and the developers took measures to complicate its analysis.”

The sample is unique in that all its binaries are obfuscated with the open source LLVM-obfuscator, which was developed by a research team in 2013. However, according to Patrick Wardle, security researcher with Jamf, the obfuscation is easy to bypass.

“Good news, this obfuscation doesn’t really hinder analysis,” he said in a detailed analysis over the weekend. “One can simply scroll past it in a disassembler, or in a debugger set breakpoints on relevant (non-obfuscated) code.”

#government #hacks #malware #web security #adobe flash player #apple #finspy #jabuka.app #linux #macos #malware #microsoft windows #mobile security #nilephish #obfuscation #pdf #spyware #virustotal

Mac, Linux Users Now Targeted by FinSpy Variants

threatpost.com

Mac, Linux Users Now Targeted by FinSpy Variants

FinSpy has returned in new campaigns targeting dissident organizations in Egypt – and researchers uncovered new samples of the spyware targeting macOS and Linux users.

1.05 GEEK