FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird.     
Associated Software Descriptions
|Enterprise||T1134||Access Token Manipulation||FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.|
|Enterprise||T1009||Binary Padding||FinFisher contains junk code in its functions in an effort to confuse disassembly programs.|
|Enterprise||T1067||Bootkit||Some FinFisher variants incorporate an MBR rootkit.|
|Enterprise||T1088||Bypass User Account Control||FinFisher performs UAC bypass.|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.|
|Enterprise||T1038||DLL Search Order Hijacking||A FinFisher variant uses DLL search order hijacking.|
|Enterprise||T1073||DLL Side-Loading||FinFisher uses DLL side-loading to load malicious programs.|
|Enterprise||T1083||File and Directory Discovery||FinFisher enumerates directories and scans for certain files.|
|Enterprise||T1179||Hooking||FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.|
|Enterprise||T1070||Indicator Removal on Host||FinFisher clears the system event logs.|
|Enterprise||T1036||Masquerading||FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.|
|Enterprise||T1050||New Service||FinFisher creates a new Windows service with the malicious executable for persistence.|
|Enterprise||T1027||Obfuscated Files or Information||FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.|
|Enterprise||T1057||Process Discovery||FinFisher checks its parent process for indications that it is running in a sandbox setup.|
|Enterprise||T1055||Process Injection||FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.|
|Enterprise||T1012||Query Registry||FinFisher queries Registry values as part of its anti-sandbox checks.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||FinFisher establishes persistence by creating the Registry key |
|Enterprise||T1113||Screen Capture||FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.|
|Enterprise||T1063||Security Software Discovery||FinFisher probes the system to check for antimalware processes.|
|Enterprise||T1045||Software Packing||A FinFisher variant uses a custom packer.|
|Enterprise||T1082||System Information Discovery||FinFisher checks if the victim OS is 32 or 64-bit.|
|Enterprise||T1497||Virtualization/Sandbox Evasion||FinFisher probes the system to check for sandbox/virtualized environments.|
Groups that use this software:Dark Caracal
- FinFisher. (n.d.). Retrieved December 20, 2017.
- Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
- Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
- Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
- Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.