Amnesty International today exposed details of a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of FinSpy spyware designed to target Linux and macOS systems.
Developed by a German company, FinSpy is extremely powerful spying software that is being sold as a legal law enforcement tool to governments around the world but has also been found in use by oppressive and dubious regimes to spy on activists.
FinSpy, also known as FinFisher, can target both desktop and mobile operating systems, including Android, iOS, Windows, macOS, and Linux, to gain spying capabilities, including secretly turning on their webcams and microphones, recording everything the victim types on the keyboard, intercepting calls, and exfiltration of data.
According to the human rights organization Amnesty International, the newly discovered campaign is not linked to ‘NilePhish,’ a hacking group known for attacking Egyptian NGOs in a series of attacks, involving an older version of FinSpy, phishing technique, and malicious Flash Player downloads.
Instead, the new versions of FinSpy for Linux and macOS, along with Android and Windows, were used by a new unknown hacking group, which they believe is state-sponsored and active since September 2019.
Uploaded on VirusTotal, all new malware samples were discovered as part of an ongoing effort by Amnesty International to actively track and monitor NilePhish’s activities.
The new binaries are obfuscated and stop malicious activities when it finds itself running on a virtual machine to make it challenging for experts to analyze the malware.
Moreover, even if a targeted smartphone isn’t rooted, the spyware attempts to gain root access using previously disclosed exploits.
“The modules available in the Linux sample are almost identical to the MacOS sample,” the researchers said.
“The modules are encrypted with the AES algorithm and compressed with the aplib compression library. The AES key is stored in the binary, but the IV is stored in each configuration file along with a MD5 hash of the final decompressed file.”
“The spyware communicates with the Command & Control (C&C) server using HTTP POST requests. The data sent to the server is encrypted using functions provided by the 7F module, compressed using a custom compressor, and base64 encoded.”
Meanwhile, the researchers have also provided indicators of compromise (IoC) to help researchers further investigate these attacks and users check whether their machines are among compromised ones.
Kaspersky researchers last year revealed a similar cyber-espionage campaign where ‘then-new’ FinSpy implants for iOS and Android were being used to spy on users from Myanmar.