FinFisher
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| FinSpy | (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
FinFisher performs UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
FinFisher establishes persistence by creating the Registry key |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
FinFisher creates a new Windows service with the malicious executable for persistence.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
A FinFisher variant uses DLL search order hijacking.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017) |
| .002 | Hijack Execution Flow: DLL Side-Loading |
FinFisher uses DLL side-loading to load malicious programs.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
||
| .013 | Hijack Execution Flow: KernelCallbackTable |
FinFisher has used the |
||
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
FinFisher clears the system event logs using |
| Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.(Citation: FinFisher Citation)(Citation: Elastic Process Injection July 2017) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
FinFisher contains junk code in its functions in an effort to confuse disassembly programs.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| .002 | Obfuscated Files or Information: Software Packing |
A FinFisher variant uses a custom packer.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017) |
||
| Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
Some FinFisher variants incorporate an MBR rootkit.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
FinFisher probes the system to check for antimalware processes.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.(Citation: Microsoft FinFisher March 2018) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0070 | Dark Caracal |
(Citation: Lookout Dark Caracal Jan 2018) |
References
- FinFisher. (n.d.). Retrieved December 20, 2017.
- Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
- Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
- Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.
- Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.