Mac, Linux Users Now Targeted by FinSpy Variants

FinSpy has returned in new campaigns targeting dissident organizations in Egypt – and researchers uncovered new samples of the spyware targeting macOS and Linux users.

The FinSpy commercial spyware is back in recently observed campaigns against organizations and activists in Egypt. While the spyware previously targeted Windows, iOS and Android users, researchers have discovered these campaigns using new variants that target macOS and Linux users.

FinSpy is a full-fledged surveillance software suite, which has the ability to intercept victims’ communications, access private data, and record audio and video, according to Amnesty International, which uncovered the recent new variants. It’s been in use by law-enforcement and government agencies around the world since 2011.

However, researchers recently uncovered never-before-seen FinSpy samples that have been in use in campaigns since October 2019. These samples include “Jabuka.app,” a FinSpy variant for macOS, and “PDF,” a FinSpy variant for Linux. Both were publicly disclosed Friday for the first time.

New Samples

The most recent attacks published this week continue to target Egyptian civil-society organizations. Researchers said that the FinSpy sample for macOS “uses a quite complex chain to infect the system, and the developers took measures to complicate its analysis.”

The sample is unique in that all its binaries are obfuscated with the open source LLVM-obfuscator, which was developed by a research team in 2013. However, according to Patrick Wardle, security researcher with Jamf, the obfuscation is easy to bypass.

“Good news, this obfuscation doesn’t really hinder analysis,” he said in a detailed analysis over the weekend. “One can simply scroll past it in a disassembler, or in a debugger set breakpoints on relevant (non-obfuscated) code.”

Once downloaded, the first stage of the spyware conducts checks to detect whether it is running in a virtual machine (VM). If not it decrypts a ZIP archive, which contains the installer and binaries for privilege escalation (including one that exploits a bug in macOS X and another with a Python exploit for CVE-2015-5889, which exists in the remote_cmds component in Apple OS X before 10.11).

“This first stage uses the exploits to get root access,” said Amnesty International researchers. “If none of them work, it will ask the user to grant root permissions to launch the next-stage installer.”

The Linux payload meanwhile is very similar to the macOS version, which researchers believe suggests a potential shared codebase. However, the launchers and the infection chain are adapted to work on Linux systems, with the “PDF” file obtained from the server being a short script containing encoded binaries for Linux 32bit and 64bit.

Once downloaded the file extracts an installer and executes it, which then checks that the system is not on a virtual machine before extracting a first-stage payload. Like its macOS counterpart, FinSpy for Linux is also obfuscated using LLVM-Obfuscator.

The malware variants for both macOS and Linux include a large list of modules with keylogging, scheduling and screen recording capabilities. They also have the abilities to steal emails by installing a malicious add-on to Apple Main and Thunderbird, which sends the emails for FinSpy to collect, and the capability of collecting information about Wi-Fi networks.

“FinSpy for Mac OS, and similarly its Linux counterpart, follow a modular design,” said researchers. “The launcher logind only instantiates the core component dataPkg, which oversees communications with the Command and Control server (C&C), and decrypting/launching modules when needed.”

출처 : https://threatpost.com/mac-linux-attack-finspy/159607/

9.28.2020, threat post, Lindsey O'donnell

1.FinSpy는 원래 정부에서 조사(?)용으로 사용하는 감시 소프트웨어. 하지만, 이집트의 반정부 단체를 주시하는 용도로 사용됨.

2. 원래는 Windows, iOS, Android 운영체제를 타겟으로 했는데, 이번에 새로 발견된 것은 macOS와 Linux를 타겟으로 함.

3. 동작방식은 1단계: VM에서 돌아가고 있는건지 확인 --> 2단계: 익스플로잇으로 루트 권한 획득 시도해봄. 실패시 --> 3단계 : 사용자에게 인스톨러로 (공격자의) 권한 상승을 가능하게 해주는 인스톨러 설치 요구.

느낀 점 : 우선, 정부에서 행해진 이러한 민간인의 사생활 침해에 대해 직접적으로 접하게 된 것은 이번이 처음이었고, 당황스럽다(비록 우리나라에서 사용한 것은 아닌 듯 하지만).

또, 해당 소프트웨어 동작방식은 간단히 요약하면 강도가 도어락 해제를 시도해보고 안되면 집주인에게 문 열어달라 요청하는 것인데(...) 이런 방식이 실제로도 먹힐 것 같아 무섭다.

일반인들이 이런 피해에 휘말리지 않게 하기 위해 보안전문가들은 취약점을 미리 알고 대처하거나, 또는 사용자의 편의성을 최대한 해치지 않으면서 보안을 강화해야 할텐데, 편의성과 안전성 사이의 딜레마 해결에 골머리를 앓고 있을 지도 모르겠다.

보안적 문제들은 중요하면서도 쉽게 해결되지 않는 만큼 그 가치가 있는 듯하다.