You Only Click Twice: FinFisher’s Global Proliferation
March 13, 2013
Authors: Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton.
This post describes the results of a comprehensive global Internet scan for the command and control servers of FinFisher’s surveillance software. It also details the discovery of a campaign using FinFisher in Ethiopia used to target individuals linked to an opposition group. Additionally, it provides examination of a FinSpy Mobile sample found in the wild, which appears to have been used in Vietnam.
Summary of Key Findings
- We have found command and control servers for FinSpy backdoors, part of Gamma International’s FinFisher “remote monitoring solution,” in a total of 25 countries: Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam.
- A FinSpy campaign in Ethiopia uses pictures of Ginbot 7, an Ethiopian opposition group, as bait to infect users. This continues the theme of FinSpy deployments with strong indications of politically-motivated targeting.
- There is strong evidence of a Vietnamese FinSpy Mobile Campaign. We found an Android FinSpy Mobile sample in the wild with a command & control server in Vietnam that also exfiltrates text messages to a local phone number.
- These findings call into question claims by Gamma International that previously reported servers were not part of their product line, and that previously discovered copies of their software were either stolen or demo copies.
Read more…
Ittu Aba Farda
March 15, 2013 at 8:29 am
I am not surprised by this discovery but I still find it somewhat worrisome. The regime has to deploy every tool that will be instrumental in perpetuating its rule. But I am worried by the ramifications it entails in that others may deploy their own ‘espionage’ tools to counter it. From early on I have been using every antiviral software to protect my computer from hackers and malicious viruses. More often my computer has been detecting sources trying to intrude. Surprisingly, some of those sources are websites where I have been posting comments. It is obvious that some of these websites are amassing email and IP addresses of people who have posted comments on their websites. What are they doing with such stockpile of email and IP addresses? They may try to justify their actions by telling us all that they are trying to identify those individuals allegedly to be government spies. What they may not know is that fact that such snooping around and amassing personal information with out the consent of the owners is a serious crime here in the Good ‘Ole USA. It is very worrisome and they should all stop ‘stealing’ personal information from those who participated in the discussions on their websites. They should come out clean in denying it.
beka@hodaderoch.org
March 15, 2013 at 1:25 am
Follow follow the instruction to remove z spyware if your device is infected…
Askale Dama
March 14, 2013 at 3:04 pm
Thank you all those computer & IT experts and activist hackers for exposing Woyane spies and abusers. I feel so proud of G7 IT heroes and young Ethiopian geniuses on the cyber-war frontline!This is a war we can win at this very moment. Bombard the Woyane HQ!!!!
Selam
March 14, 2013 at 4:14 am
Hello ECADF and Ethiopians expert in IT,
can you please explain this to us in a non IT language for those of us who are clueless of IT language but users …how can we protect ourselves ? how this work and so on…can someone expert in IT inform the ethiopian audience (we are all using web) what is at stake here, how we could protect ourselves and what are the signs that our PC have been hacked? woyane fearing , is ready to destroy all what it can, but cyber war : hahahah , they are gone out of their mind again.
NOTHING WILL STOP US WOYANE! NOTHING
Teka
March 14, 2013 at 1:18 am
Amazing. About five or six years ago, it was believed that INSA of Ethiopia was spreading a spyware called “Dulla” across internet shops and infects PCs. This news is not a surprise.
By the way, does anyone encounte a PC screen flashing a light for a fraction of seconds just a camera is flashing?
A day before, I discovered that MS Silverlight activates your webcam without your knowledge. And, if there is a spy software that can make use of that functionalities, i.e harness the webcam command and control, it means that the spyware can simply take your picture from a distance without your knowledge.
I am now wondering that instant PC screen flashing might have something to do with some backdoor spyware tools that uses silverlight triger your webcam and take a picture.
Would be nice if some computer gurus can have some say about it.