FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]

ID: S0182
Associated Software: FinSpy

Platforms: Windows

Version: 1.1

Associated Software Descriptions

FinSpy[3] [4]

Techniques Used

EnterpriseT1134Access Token ManipulationFinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[1][5]
EnterpriseT1009Binary PaddingFinFisher contains junk code in its functions in an effort to confuse disassembly programs.[1][5]
EnterpriseT1067BootkitSome FinFisher variants incorporate an MBR rootkit.[1][5]
EnterpriseT1088Bypass User Account ControlFinFisher performs UAC bypass.[1][5]
EnterpriseT1140Deobfuscate/Decode Files or InformationFinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[1][5]
EnterpriseT1038DLL Search Order HijackingA FinFisher variant uses DLL search order hijacking.[1][4]
EnterpriseT1073DLL Side-LoadingFinFisher uses DLL side-loading to load malicious programs.[1][5]
EnterpriseT1083File and Directory DiscoveryFinFisher enumerates directories and scans for certain files.[1][5]
EnterpriseT1179HookingFinFisher hooks processes by modifying IAT pointers to CreateWindowEx.[1][6]
EnterpriseT1070Indicator Removal on HostFinFisher clears the system event logs.[1][5]
EnterpriseT1036MasqueradingFinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[1][5]
EnterpriseT1050New ServiceFinFisher creates a new Windows service with the malicious executable for persistence.[1][5]
EnterpriseT1027Obfuscated Files or InformationFinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[1][5]
EnterpriseT1057Process DiscoveryFinFisher checks its parent process for indications that it is running in a sandbox setup.[1][5]
EnterpriseT1055Process InjectionFinFisher injects itself into various processes depending on whether it is low integrity or high integrity.[1][5]
EnterpriseT1012Query RegistryFinFisher queries Registry values as part of its anti-sandbox checks.[1][5]
EnterpriseT1060Registry Run Keys / Startup FolderFinFisher establishes persistence by creating the Registry key HKCU\Software\Microsoft\Windows\Run.[1][5]
EnterpriseT1113Screen CaptureFinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.[1][5]
EnterpriseT1063Security Software DiscoveryFinFisher probes the system to check for antimalware processes.[1][5]
EnterpriseT1045Software PackingA FinFisher variant uses a custom packer.[1][4]
EnterpriseT1082System Information DiscoveryFinFisher checks if the victim OS is 32 or 64-bit.[1][5]
EnterpriseT1497Virtualization/Sandbox EvasionFinFisher probes the system to check for sandbox/virtualized environments.[1][5]


Groups that use this software:

Dark Caracal