FinFisher-like government spyware found in APT attacks

Microsoft security researchers say two advanced persistent threat (APT) groups - believed to be state actors - are spying on targeted individuals in Europe and Turkey using zero-day exploits.

Wingbird schematic. Source: Microsoft SIR.

The groups, dubbed Promethium and Neodymium by Microsoft, have been active in Europe since as early as 2012. The security researchers have linked the two because they use the same exploit code in their attacks.

Neodymium uses the W32/Wingbird.A!dha backdoor to spy on users. Microsoft noted that the malware's characteristics "closely match" the FinFisher government spyware developed by Gamma Group, that was leaked after a hack in 2014.

It believes the Wingbird backdoor is a relatively new version of FinFisher.

"The apparent use of a version of FinFisher suggests that the exploit and the spear phishing campaign that delivered it were the work of an attack group probably connected in some way to a state actor," Microsoft said in its Security Intelligence Report for January to June this year.

Both the 32 and 64-bit version of Wingbird checks for the presence of the ico_sf46.ico file, which is a known FinFisher component.

Once planted on a target computer, the spyware records keystrokes and takes screenshots, and has been used by repressive regimes to crack down on democracy and civil liberties activists around the world.

The NSW Police Force was named as a licensed user of FinFisher in documents dumped by Wikileaks in 2014.

To deploy the spyware, both Promethium and Neodymium used zero-days such as the CVE-2016-4117 confusion code bug in Adobe Flash.

The Adobe Flash exploit was encoded into a malicious file purporting to be a Rich Text Format (RTF) document, and was sent to victims via a phishing email. Once opened, the attachment downloaded and ran Wingbird on the victim's computer.

The version of Wingbird analysed by Microsoft is obfuscated at source code level to make malware analysis more difficult, and to evade security tools. It is also able to inject malicious code from one Windows process to another to hide execution of the payload, which makes it extremely difficult to detect Wingbird running.

Promethium has used the Truvasys malware in its campaigns, Microsoft said. This masquerades as popular Windows tools such as WinUtils, TrueCrypt, WinRAR and SanDisk. 

Microsoft said the APT group sent out new versions of Truvasys for different attacks, suggesting Promethium maintains a close relationship with the malware developers.

Truvasys was aimed at Turkish users through a combination of spear-phishing and watering hole attacks, being embedded into legitimate applications to trick people into running the installers. 

Microsoft did not say who they believe is behind the attacks, or provide details on the victims of Promethium and Neodymium.