FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]

ID: S0182
Associated Software: FinSpy
Platforms: Windows, Android
Version: 1.4
Created: 16 January 2018
Last Modified: 02 March 2022

Associated Software Descriptions

Name Description

[3] [4]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

FinFisher performs UAC bypass.[1][5]

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[1][5]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FinFisher establishes persistence by creating the Registry key HKCU\Software\Microsoft\Windows\Run.[1][5]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

FinFisher creates a new Windows service with the malicious executable for persistence.[1][5]

Enterprise T1140 Deobfuscate/Decode Files or Information

FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[1][5]

Enterprise T1083 File and Directory Discovery

FinFisher enumerates directories and scans for certain files.[1][5]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

A FinFisher variant uses DLL search order hijacking.[1][4]

.002 Hijack Execution Flow: DLL Side-Loading

FinFisher uses DLL side-loading to load malicious programs.[1][5]

.013 Hijack Execution Flow: KernelCallbackTable

FinFisher has used the KernelCallbackTable to hijack the execution flow of a process by replacing the __fnDWORD function with the address of a created Asynchronous Procedure Call stub routine.[6]

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

FinFisher clears the system event logs using OpenEventLog/ClearEventLog APIs .[1][5]

Enterprise T1056 .004 Input Capture: Credential API Hooking

FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.[1][7]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[1][5]

Enterprise T1027 Obfuscated Files or Information

FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[1][5]

.001 Binary Padding

FinFisher contains junk code in its functions in an effort to confuse disassembly programs.[1][5]

.002 Software Packing

A FinFisher variant uses a custom packer.[1][4]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

Some FinFisher variants incorporate an MBR rootkit.[1][5]

Enterprise T1057 Process Discovery

FinFisher checks its parent process for indications that it is running in a sandbox setup.[1][5]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.[1][5]

Enterprise T1012 Query Registry

FinFisher queries Registry values as part of its anti-sandbox checks.[1][5]

Enterprise T1113 Screen Capture

FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.[1][5]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

FinFisher probes the system to check for antimalware processes.[1][4]

Enterprise T1082 System Information Discovery

FinFisher checks if the victim OS is 32 or 64-bit.[1][5]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.[5]

Mobile T1429 Audio Capture

FinFisher uses the device microphone to record phone conversations.[8]

Mobile T1404 Exploitation for Privilege Escalation

FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.[8]

Mobile T1430 Location Tracking

FinFisher tracks the latitude and longitude coordinates of the infected device.[8]

Mobile T1636 .002 Protected User Data: Call Log

FinFisher accesses and exfiltrates the call log.[8]

.004 Protected User Data: SMS Messages

FinFisher captures and exfiltrates SMS messages.[8]

Groups That Use This Software

ID Name References
G0070 Dark Caracal