I sell high-security phones online and my premium vendor just sent me a FinSpy-FinFisher warning about 90 days ago. Also, I recently experienced a hack that “appears” to have read my recent file list, then exported those files over the internet. I “think” this is what FinSpy does. I’m using a Debian variant, with MATE DE. I have since disabled my “recent-file-list” in MATE. This was a royal PITA! I think I need a different DE, that’s not so easy to exploit and “very” easy to lock down. Can anyone suggest a MATE alternative that might satisfy this requirement?
My understanding is that FinSpy can read data files directly from memory (RAM Heap). HDD/SSD encryption is a good thing; but, it doesn’t prevent data that is stored in RAM, in the clear, from being read. I don’t know if it checks the recent-files-list first, before reading RAM data contents; so, disabling the recent-file-list, may not prevent another attack. In any case, I think what needs to happen, in addition to HDD/SSD encryption, is to store file-data in RAM in encrypted form, then only decrypt the data, as it is being displayed.
The ports that FinSpy-FinFisher use are 8999 and 8899. These should obviously be disabled by default. I can do it using “iptables;” but, the setting doesn’t persist. Does anyone have a script that can set individual ports with “persistence?” Maybe, this is just coincidence; but, the ports chosen have significance in “triad” numerology.
I’m leaving the text of the warning I received below, with the vendor information redacted. I hope this is useful to the dev’s.
Sent at: 8/7/2019 10:01 :34 AM
Combing the monitoring worlds of G3, GSM, CYBER, Wi-Fi,
OSINT & GEO LOCATION
From : ******************************************
AUGUST 07, 2019: ISSUE #856
THE HYDRA 2020
THE NEW HSS HYDRA 2020
An all-encompassing platform
combining the monitoring worlds of
3G, GSM, CYBER, Wi-Fi, OSINT & GEO LOCATION
A most advanced, proprietary ombudsman of counter terrorist solutions
featuring intercepting, monitoring, decrypting, geo-location, data analysis
plus so much more.
In one comp lete multi-headed p latform you can now Intercept, monitor,
collect and analyze data from …
WhatsApp, FB Messenger, Viber, Signal and other social media platforms
Satellite telephone communications.
Cellular communications via Active GSM Field Intercep tion and IMSI/IMEICatchers and passive GSM Intercept Cell traffic, VOICE and SMS and perform Remote Phone Manipulations
RF Detection, intercepting and jamming phone, drone, + RF signals
Intelligence gathering utilizing GSM and WIFI Tactical
Geo Intelligence; video to 3D mapping solution with OSINT, Big Data
analysis & Geo-location Vehicle direction finding
Personal GSM finder and locator; track targets around the country
Collect MAC for WIFI tracking, phone numbers for OSINT, Voice
Print & Gender IDs
DONT MISS OUT ON THE FEATURED
WhatsApp DEMONSTRATION KIT
Looking for a powerful solution to capture WhatsApp messages?
Penetrate cellular defenses
Generate effective access to Target devices
Perform interception of their data communications
Operate in ‘new’ locations, without requiring any integration
Extract data from phones
Capture cell phones and windows 10 remotely
Can control 10 phones at any one time
For trial rental to authorized law enforcement agencies only
CONTACT ME. JOE PORTER
Contact us today
*** designs and builds advanced RF solutions for both Law Enforcement and Defense industries. For
more information, demonstrations, or Reseller O pportunities, Contact Us.
Some of the technologies mentioned herein may be restricted to Government Agencies only, and
are mentioned for informational purposes. Contact us for more information.
Legal Notice: This email is intended only as a proprietary notice and does not constitute and offer to sell surreptitious intercept devices or technologies. Such information or offer can only be made by an official Homeland Security Strategies pro-forma invoice signed by an authorized agent of *** and furthermore, in the United States, must be a Law Enforcement Agency or political subdivision of the United States Government; in compliance with the US code Title 18 Section 2512. Available to authorized agencies and their authorized vendors only.
Legal Notice: This email is intended only as a proprietary notice and does not constitute an offer to sell RF Jammer and or Bomb Jammer TM systems - equipment. In addition, all Jamming devices in part or whole are strictly regulated by the US Department of State in accordance with the guidelines in the International Traffic in Arms (!TAR) per title 22, Code of Federal Regulations (CFR), Parts 120-130 . Any such offer can only be made by an official HSS proforma invoice signed by an authorized agent of *** conforming to US code Title 22, Parts 120 - 130 … Available to authorized agencies only. You are receiving this message because you have inquired with one of our 4 web sites containing Law Enforcement systems at either **** Technologies or *** or have specifically been referred to us. Please expect one to two messages per month with timely information about our technologies and applications. Should you choose not to receive future messages, please follow the iContact instructions below.
Manage Your Subscription
This message was sent **************** from ***************************Defense News
Homeland Security *****************
FinSpy is a field-proven Remote Monitoring Solution that enables Governments to face the current challenges of monitoring Mobile and Security-Aware Targets that regularly change location, use encrypted and anonymous communication channels and reside in foreign countries. FinSpy provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory (recent file list) and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS messages or via the internet. Personal data including contacts, messages, audios and videos, can be exfiltrated from most popular messengers.
According to information on its official website, FinFisher, among other tools and services, provides a “strategic wide-scale interception and monitoring solution”. This software (also known as FinSpy) is used to collect a variety of private user information on various platforms. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then xxxxx Technologies has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at xxxxx Technologies looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory (recent file list), phone call recordings and data from the most popular messengers.
The Android implant is capable of gaining root privileges on an unrooted device by abusing the “DirtyCow” exploit, which is contained in the malware. FinSpy Android samples have been known for a few years now. Based on the certificate data of the last version found, the sample was deployed in “June 2019.”
The Android implant’s functionality is unlikely to change much, based on the fact that most of the configuration parameters are the same in the old and new versions. The variety of available settings makes it possible to tailor the behavior of the implant for every victim. For example, operators can choose the preferred communication channels or automatically disable data transfers while the victim is in roaming mode. All the configuration data for an infected Android device (including the location of the control server) is embedded in the implant and used afterwards, but some of the parameters can be changed remotely by the operator. The configuration data is stored in compressed format, split into a set of files in the assets directory of the implant apk. After extracting all pieces of data and building the configuration file, it’s possible to get all the configuration values. Each value in the configuration file is stored after the little-endian value of its size, and the setting type is stored as a hash.
For example, the following interesting settings found in the configuration file of the developer build of the implant can be marked: mobile target ID, proxy ip-address, proxy port, phone number for remote SMS control, unique identifier of the installed implant.
As in the case of the iOS implant, the Android version can be installed manually if the attacker has physical access to the device, and by remote infection vectors: SMS messages, emails and WAP Push. After successful installation, the implant tries to gain root privileges by checking for the presence of known rooting modules “SuperSU” and “Magisk” and running them. If no utilities are present, the implant decrypts and executes the “DirtyCow” exploit, which is located inside the malware; and if it successfully manages to get root access, the implant registers a custom “SELinux” policy to get full access to the device and maintain root access. If it used SuperSU, the implant modifies SuperSU preferences in order to silence it, disables its expiry and configures it to autorun during boot. It also deletes all possible logs including SuperSU logs.
The implant provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory (recent file list) and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS messages or via the internet (the C2 server location is stored in the configuration file). Personal data, including contacts, messages, audios and videos, can be exfiltrated from most popular messengers. Each of the targeted messengers has its own unified handling module, which makes it easy to add new handlers if needed.
The full hardcoded list of supported messengers is shown below:
Package name Application name
com.bbm BBM (BlackBerry Messenger)
com.facebook.orca Facebook Messenger
jp.naver.line.android Line Messenger
At first, the implant checks that the targeted messenger is installed on the device (using a hardcoded package name) and that root access is granted. After that, the messenger database is prepared for data exfiltration. If necessary, it can be decrypted with the private key stored in its private directory, and any required information can simply be queried:
All media files and information about the user are exfiltrated as well.
FinSpy implants are controlled by the FinSpy Agent (operator terminal). By default, all implants are connected to FinSpy anonymizing proxies (also referred to as FinSpy Relays) provided by the spyware vendor. This is done to hide the real location of the FinSpy Master. As soon as the infected target system appears online, it sends a heartbeat to the FinSpy Proxy. The FinSpy Proxy forwards connections between targets and a master server. The FinSpy Master server manages all targets and agents and stores the data. Based on decrypted configuration files, our experts were able to find the different relays used by the victims and their geographical location. “Most of the relays we found are concentrated in “Europe,” with some in “South-East-Asia” and the “USA.””
FinSpy mobile implants are advanced malicious spy tools with diverse functionality. Various configuration capabilities provided by the spyware vendor in their product enable the FinSpy terminal (FinSpy Agent) operators to tailor the behavior of each implant for a particular victim and effectively conduct surveillance, exfiltrating sensitive data such as GPS location, contacts, calls and other data from various instant messengers and the device itself.
The Android implant has functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that this spyware solution doesn’t provide infection exploits for its customers, as their product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. That might imply physical access to the victim in cases where devices are not already jailbroken. At the same time, multiple features that we haven’t observed before in malware designed for this platform are implemented.
Since the leak in 2014, the FinSpy developers have recreated significant parts of its implants, extended supported functionality (for example, the list of supported instant messengers has been significantly expanded) and at the same time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it possible to retain its position in the market.
Overall, during the research, up-to-date versions of these implants used in the wild were detected in almost 20 countries, although the total number could be higher.
FinSpy developers are constatly working on the updates for their malware. At the time of publication, xxxxx Technologies researchers have found another version of the threat and are currently investigating this case.