Windows Boot Manager Hijacked by FinFisher Malware
The Malware Can Now Infect Windows Devices Using a UEFI Bootkit.
The FinFisher surveillance solution was developed by the Gamma Group but it also comes with malware-like capabilities often found in spyware strains.
Its creator claims it is only offered to government agencies and law enforcement organizations throughout the world, however cybersecurity firms have seen it being distributed through spearphishing campaigns and ISP infrastructure (ISPs).
Researchers Investigated the Bootkit
Because UEFI (Unified Extensible Firmware Interface) firmware is stored within SPI flash storage soldered to a computer’s motherboard, extremely persistent bootkit malware is impossible to remove by hard drive replacement or even OS re-installation.
During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence.
Bootkits are malicious malware placed in the firmware that is undetectable to security solutions within the operating system because it is designed to load first in the booting process of a device, as they are able to give attackers control over an operating systems’ boot process and make it possible to sabotage OS defenses bypassing the Secure Boot mechanism depending on the system’s boot security mode.
While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine.
It seems that the spyware’s developers used four layers of obfuscation and anti-analysis measures designed to make FinFisher one of the “hardest-to-detect Spywares to date”, according to the researchers at Kaspersky.
According to the news publication BleepingComputer, this made the malware highly effective as its samples were able to evade almost any detection attempt and were virtually impossible to analyze, as apparently, they were requiring “overwhelming” amounts of work to unscramble.
The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive.
It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect.