FinFisher spyware improves its arsenal with four levels of obfuscation, UEFI infection and more

Woburn, MA, Sept. 28, 2021 (GLOBE NEWSWIRE) -- Presenting at the Security Analyst Summit (SAS) 2021, Kaspersky researchers shared the results of a comprehensive investigation into several recent updates introduced into FinSpy spyware for Windows, Mac OS, Linux, and its installers. The research, which took eight months to complete, uncovered four-layer obfuscation and advanced anti-analysis measures employed by the spyware’s developers, as well as the employment of a UEFI bootkit to infect victims. The findings suggest high emphasis on defense evasion, making FinFisher one of the hardest-to-detect spywares to date.

FinFisher, also known as FinSpy or Wingbird, is a surveillance tool that Kaspersky has been tracking since 2011. It is capable of gathering various credentials, file listings and deleted files, as well as various documents, livestreaming or recording data and gaining access to a webcam and microphone. Its Windows implants were detected and researched several times up to 2018 when FinFisher appeared to have gone under the radar.

After that, Kaspersky solutions detected suspicious installers of legitimate applications such as TeamViewer, VLC Media Player, and WinRAR, which contained malicious code that could not be connected to any known malware. That is, until one day they discovered a website in Burmese that contained the infected installers and samples of FinFisher for Android, helping to identify they were Trojanized with the same spyware. This discovery pushed Kaspersky researchers to investigate FinFisher further.

Unlike previous versions of the spyware, which contained the Trojan in the infected application right away, new samples were protected by two components: a non-persistent Pre-validator and a Post-Validator. The first component runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher. Only when the checks pass is the Post-Validator component provided by the server – this component ensures that the infected victim is the intended one. Only then would the server command deployment of the full-fledged Trojan platform.

FinFisher is heavily obfuscated with four complex custom-made obfuscators. The primary function of this obfuscation is to slow down the analysis of the spyware. On top of that, the Trojan also employs peculiar methods of gathering information. For instance, it uses the developers’ mode in browsers to intercept traffic protected with a HTTPS protocol.

The researchers also discovered a sample of FinFisher that replaced the Windows UEFI bootloader – a component that launches the operating system after firmware launch along with a malicious one. This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence. While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine.

“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” said Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect. The fact that this spyware is deployed with high precision and is practically impossible to analyze also means that its victims are especially vulnerable, and researchers face a special challenge – having to invest an overwhelming amount of resources into untangling each and every sample. I believe complex threats such as FinFisher demonstrate the importance for security researchers to cooperate and exchange knowledge as well as invest in new types of security solutions that can combat such threats.”

Read the full report on FinFisher on Securelist.

To protect yourself from such threats as FinFisher, Kaspersky recommends that users:

  • Download your apps and programs from trusted websites.
  • Don’t forget to update your operating system and all software regularly. Many safety issues can be solved by installing updated versions of software. 
  • Distrust e-mail attachments by default. Before clicking to open an attachment or follow a link, consider carefully: Is it from someone you know and trust; is it expected; is it clean? Hover over links and attachments to see what they’re named or where they really go. 
  • Avoid installing software from unknown sources. It may and often does contain malicious files.
  • Use a strong security solution on all computers and mobile devices, such as Kaspersky Internet Security for Android or Kaspersky Total Security. 


For organizations’ protection, Kaspersky suggests the following:

  • Set up a policy for non-corporate software use. Educate your employees about the risks of downloading unauthorized applications from untrusted sources.


About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at


Example of scheduled task properties

Contact Data