FinSpy - Government/Law Enforcement Malware hacked and leaked

[Qtx]

FinSpy that supplies police forces and governments around the world with infiltration and trojan abilities has been hacked (again).

Rather than explain it all, check out this sub on Reddit

The android and other phone trojans are part of a torrent listed on the above page. The whole package would be interesting for someone in the infosec industry or with this stuff as a hobby. You can see things like how they just re-sell Vupen exploits as infection vectors and such like.

Also on the antivirus side of things, one of the slides in the package shows that only Eset Antivirus would catch and stop the infection a few months ago. Even then, only on 32bit versions of windows and not 64bit versions, which will interest those from another security thread recently

https://www.dropbox.com/s/6fpd5rnwx0...y-PC-4.51.xlsm

[Qtx]

That is the AV results in the link above by the way, in xls format. Will be interesting to see what happens as all the AV vendors now have a few versions of finspy to add to their definitions. So some people are going to get a definitions update and find they are infected with it. It's not hard for them to make it AV proof again but if they do it in a unique way for every client, it's a fair bit of work.

Following links somewhere on that subreddit you can find a torrent/magnet link with the webserver c&c code, finspy installs for all OS phones etc. Some stuff is pgp encrypted but a lot isn't.

[Qtx]

Something seen in a writeup about packet interception and injection where Finspy was mentioned but the way they encapsulated how the injection works in to a few sentences was too good not to share:

Quote:

Binary Mode is a flag to enable detection of a windows binary PE header on the wire, modify it in transit and inject loader + payload into the download ahead of the real binary. The real icon is preserved. Upon execution, the downloaded file would run the loader which executed the payload then cleaned the downloaded file on disk, such that it was the originally requested file. By this time, the payload would be memory resident. Finally, the real binary would be executed. This technique would work even with self-checking binaries. Update Mode is a flag to simulate reponses of update checks for iTunes, WinAmp, and other popular applications at the time. These responses were served from FinFly and spoofed applications into updating with infected versions. It is possible to set both flags for a target. TrojanID is the payload to inject. FinFly could be loaded with several different trojans and a target dependent payload could be set. UTrojanID is the payload for update mode. These columns contain an ID which references the trojan from a simple RAM based filesystem created at load time with pre-built arrays. Compltd Count is the number of confirmed infections based on the fact that the target TCP/IP stack had acknowledged all the packets sent to it at the end of the session.

The Register now has an article on it: Time to ditch HTTP – govt malware injection kit thrust into spotlight