Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

FinFisher

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)
ID: S0182
Associated Software: FinSpy
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 16 Jan 2018
Last Modified: 12 Sep 2024

Associated Software Descriptions

Name Description
FinSpy (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

FinFisher performs UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FinFisher establishes persistence by creating the Registry key HKCU\Software\Microsoft\Windows\Run.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

FinFisher creates a new Windows service with the malicious executable for persistence.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

A FinFisher variant uses DLL search order hijacking.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017)

.002 Hijack Execution Flow: DLL Side-Loading

FinFisher uses DLL side-loading to load malicious programs.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

.013 Hijack Execution Flow: KernelCallbackTable

FinFisher has used the KernelCallbackTable to hijack the execution flow of a process by replacing the __fnDWORD function with the address of a created Asynchronous Procedure Call stub routine.(Citation: FinFisher exposed )

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

FinFisher clears the system event logs using OpenEventLog/ClearEventLog APIs .(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Enterprise T1056 .004 Input Capture: Credential API Hooking

FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.(Citation: FinFisher Citation)(Citation: Elastic Process Injection July 2017)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

FinFisher contains junk code in its functions in an effort to confuse disassembly programs.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

.002 Obfuscated Files or Information: Software Packing

A FinFisher variant uses a custom packer.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017)

Enterprise T1542 .003 Pre-OS Boot: Bootkit

Some FinFisher variants incorporate an MBR rootkit.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

FinFisher probes the system to check for antimalware processes.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.(Citation: Microsoft FinFisher March 2018)

Groups That Use This Software

ID Name References
G0070 Dark Caracal

(Citation: Lookout Dark Caracal Jan 2018)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.