FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]

ID: S0182
Associated Software: FinSpy
Platforms: Windows, Android
Version: 1.2

Associated Software Descriptions

Name Description
FinSpy [3] [4]

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[1][5]
Enterprise T1009 Binary Padding FinFisher contains junk code in its functions in an effort to confuse disassembly programs.[1][5]
Enterprise T1067 Bootkit Some FinFisher variants incorporate an MBR rootkit.[1][5]
Enterprise T1088 Bypass User Account Control FinFisher performs UAC bypass.[1][5]
Enterprise T1140 Deobfuscate/Decode Files or Information FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[1][5]
Enterprise T1038 DLL Search Order Hijacking A FinFisher variant uses DLL search order hijacking.[1][4]
Enterprise T1073 DLL Side-Loading FinFisher uses DLL side-loading to load malicious programs.[1][5]
Enterprise T1083 File and Directory Discovery FinFisher enumerates directories and scans for certain files.[1][5]
Enterprise T1179 Hooking FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.[1][6]
Enterprise T1070 Indicator Removal on Host FinFisher clears the system event logs.[1][5]
Enterprise T1036 Masquerading FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[1][5]
Enterprise T1050 New Service FinFisher creates a new Windows service with the malicious executable for persistence.[1][5]
Enterprise T1027 Obfuscated Files or Information FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[1][5]
Enterprise T1057 Process Discovery FinFisher checks its parent process for indications that it is running in a sandbox setup.[1][5]
Enterprise T1055 Process Injection FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.[1][5]
Enterprise T1012 Query Registry FinFisher queries Registry values as part of its anti-sandbox checks.[1][5]
Enterprise T1060 Registry Run Keys / Startup Folder FinFisher establishes persistence by creating the Registry key HKCU\Software\Microsoft\Windows\Run.[1][5]
Enterprise T1113 Screen Capture FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.[1][5]
Enterprise T1063 Security Software Discovery FinFisher probes the system to check for antimalware processes.[1][5]
Enterprise T1045 Software Packing A FinFisher variant uses a custom packer.[1][4]
Enterprise T1082 System Information Discovery FinFisher checks if the victim OS is 32 or 64-bit.[1][5]
Enterprise T1497 Virtualization/Sandbox Evasion FinFisher probes the system to check for sandbox/virtualized environments.[1][5]
Mobile T1433 Access Call Log FinFisher accesses and exfiltrates the call log.[7]
Mobile T1412 Capture SMS Messages FinFisher captures and exfiltrates SMS messages.[7]
Mobile T1436 Commonly Used Port FinFisher exfiltrates data over commonly used ports, such as ports 21, 53, and 443.[7]
Mobile T1404 Exploit OS Vulnerability FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.[7]
Mobile T1430 Location Tracking FinFisher tracks the latitude and longitude coordinates of the infected device.[7]
Mobile T1429 Microphone or Camera Recordings FinFisher uses the device microphone to record phone conversations.[7]


Groups that use this software:

Dark Caracal