Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2

Share

Download to read offline

Finfisher- Nguyễn Chấn Việt

Download to read offline

Finfisher- Nguyễn Chấn Việt

Related Books

Free with a 30 day trial from Scribd

See all

Finfisher- Nguyễn Chấn Việt

  1. 1. 1 FinFisher The Cyber Espionage Tool VietNC Security Research
  2. 2. Who Am I? •VietNC •Malware Analyst •Exploit Developer 2
  3. 3. Agenda •Overview •PC version •Windows •Mobile version •iOS •Android •Windows Mobile •BlackBerry •Symbian 3
  4. 4. Gamma Group Gamma Group serves Governmental Customers only Target Clients : - Law Enforcement Agencies: Police, Anti-Corruption, VIP Protection, Customs, Presidential Guard, Naval & Border Security - Intelligence Agencies: Internal and External Security Departments - Military: Intelligence, Signal Intelligence, Army, Navy, Air Force - Special Events: International Conferences & Events 4
  5. 5. Overview 5
  6. 6. Overview 6
  7. 7. Product Capabilities 7 Product Name Description FinSpy Mobile Offers ability to compromise target’s mobile phone: BlackBerry, iOS, Android. FinSpy Refers to the suite of FinFly offerings enumerated below. FinFly USB Requires direct access to machine. Can extract and infect. FinFly FireWire Requires direct access to machine. Can extract and infect. FinFly LAN Requires direct access to the target LAN. Can perform various MITM activities. FinFly NET Requires that target visit a network that is in the control of the attacker. Can perform various MITM activies. FinFly ISP Attacks the target’s ISP. Can MITM either before hitting the ISPs core network, or afterward. FinFly Web Attempts to deploy malware to targets through various web-based attack vectors. FinFly Exploit Portal Basically an online repository of 0-days and 1-days that paying customers can integrate into their attacks on targets and deploy to said targets using various other FinFly offerings.
  8. 8. Bypassing AVs 8
  9. 9. Bypassing AVs 9
  10. 10. Dropper Malware extracts two of the PE resources from itself (using PE traversal manually) and deobfuscates them using a simple XOR algorithm. One of the resources deobfuscates to a JPEG file that is then used as a replacement to the original sample file The other resource is a PE file that is later loaded into the current process’s address space using a custom PE loader 10
  11. 11. Dropper Start with the key bytes and XOR that with the first 4 bytes. XOR the next 4 bytes with the (obfuscated) previous 4 bytes. 11
  12. 12. Dropper Before XOR : 12 After XOR :
  13. 13. Self Delete 13
  14. 14. Payload Extraction Decrypt the resources : - Test.exe (main component) - driverw.sys : named “Microsoft Disk Driver” - shell32.dll - msvcr90.dll - … Put into %TEMP% and execute using ShellExecuteW API 14
  15. 15. Features in the payload 15 HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  16. 16. Shell32.dll 16 Inject msvcr90.dll into another process Detect Firewalls/AVs (Comodo, KAS) Inject code into explorer.exe
  17. 17. OS Version 17 Malware checks OS version : - 32-bit : continue to decrypt 32-bit modules - 64-bit : creates a new x64 malware in %TEMP% folder, CreateProcess to execute and terminates itself
  18. 18. msvcr90.dll 18 Packed and encrypted tiny DLL Only decrypt in memory it does act as an internet proxy Create serveral threads : - one for checking injection - one for injecting into Windows task manager and Sysinternals process explorer (32 and 64 bit) - one for injecting into all processes - …
  19. 19. The injected code The injected codedoes inline user-mode hook in the following functions in every running process : ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtQueryDirectoryFile ntdll.dll!NtQueryKey ntdll.dll!NtQuerySystemInformation 19 kernel32.dll!CreateFileW kernel32.dll!CreateProcessInternalW kernel32.dll!MoveFileW kernel32.dll!DeleteFileW kernel32.dll!MoveFileExW …
  20. 20. Features in the PE payload 20
  21. 21. Covering Tracks 21 GetCurrentDirectory() FindFirstFile() / FindNextFile() DeleteFileW
  22. 22. C&C Signatures alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; sid:1000001; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; sid:1000002; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;) 22
  23. 23. Mobile version 23
  24. 24. iOS version iOS version is developed for Arm7, built against iOS SDK 5.1 on OSX 10.7.3 and it appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up 24
  25. 25. iOS version The code signature contains 3 certificates: Certificate “Apple Root CA”: Will expire on 09.02.2035. Your keychain contains this root certificate. Certificate “Apple Worldwide Developer Relations Certification Authority”: Will expire on 14.02.2016. Certificate “iPhone Distribution: Martin Muench”: Will expire on 03.04.2013. SHA1 fingerprint: “1F921F276754ED8441D99FB0222A096A0B6E5C65”. 25
  26. 26. Android The application appears to install itself as “Android Services”: 26
  27. 27. Android C&C server decoded : 27
  28. 28. Blackberry version 28 After installing :
  29. 29. Blackberry version 29 Malware requests enhanced permissions after installing :
  30. 30. Windows Mobile version 30 AddressBook: Providing exfiltration of details from contacts stored in the local address book. CallInterception: Used to intercept voice calls, record them and store them for later transmission. PhoneCallLog: Exfiltrates information on all performed, received and missed calls stored in a local log file. SMS: Records all incoming and outgoing SMS messages and stores them for later transmission. Tracking: Tracks the GPS locations of the device.
  31. 31. Windows Mobile version 31
  32. 32. Windows Mobile version 32 In order to manipulate phone calls, the malware makes use of the functions provided by RIL.dll, the Radio Interface Layer.
  33. 33. Windows Mobile version 33
  34. 34. Symbian version 34 The Symbian.sisx : “System Update”
  35. 35. Symbian version Main component : “c:sysbinupdater.exe” 35
  36. 36. Symbian version As mentioned in the security section of the Nokia developer notes for Symbian: “Trusted UI dialogs are rare. They must be used only when confidentiality and security are critical: for instance for password dialogs. Normal access to the user interface and the screen does not require this.” The second file (“mysym.sisx”) is “Installation File” and appears to be signed by the “Symbian CA I” for “Cyan Engineering Services SAL (offshore),” 36
  37. 37. C&C Servers Two servers in Brunei One in Turkmenistan’s Ministry of Communications Two in Singapore, One in the Netherlands A new server in Indonesia A new server in Bahrain 37
  38. 38. Conclusion Great malware 38
  39. 39. Questions? 39
  40. 40. Thank you! 40
  • khungbo33

    Oct. 19, 2014
  • newlanded

    Oct. 18, 2014

Finfisher- Nguyễn Chấn Việt

Views

Total views

1,411

On Slideshare

0

From embeds

0

Number of embeds

366

Actions

Downloads

58

Shares

0

Comments

0

Likes

2

×