Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

FinFisher Malware Hijacks Windows Boot Manager With UEFI Bootkit

FinFisher Malware Hijacks Windows Boot Manager With UEFI Bootkit

Commercially developed FinFisher malware now can infect Windows devices using a UEFI bootkit that it injects in the Windows Boot Manager.

FinFisher (also known as FinSpy and Wingbird) is a surveillance solution developed by Gamma Group that also comes with malware-like capabilities often found in spyware strains.

Its developer says it’s sold exclusively to government agencies and law enforcement worldwide, but cybersecurity firms have also detected it while being delivered via spearphishing campaigns and the infrastructure of Internet Service Providers (ISPs).

Also Read: The 12 Important Details for Employment Contract Template

Evasiveness and persistence powerhouse 

“During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one,” Kasperksy researchers revealed today.

“This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence.”

UEFI (Unified Extensible Firmware Interface) firmware allows for highly persistent bootkit malware as it’s installed within SPI flash storage soldered to computers’ motherboard making it impossible to get rid of via hard drive replacement or even OS re-installation.

Bootkits are malicious code planted in the firmware invisible to security solutions within the operating system since it’s designed to load before everything else, in the initial stage of a device’s booting sequence.

They provide attackers with control over an operating systems’ boot process and make it possible to sabotage OS defenses bypassing the Secure Boot mechanism depending on the system’s boot security mode (enabling “full boot” or “thorough boot” mod would block the malware as the NSA explains).

Publicly documented attacks and malware using bootkits in the wild are extremely rare — Lojax used by the Russian-backed APT28 hacker group, MosaicRegressor was deployed by Chinese-speaking hackers, TrickBot’s TrickBoot module, and Moriya which Chinese-speaking threat actors likely used for espionage since 2018.

“While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine,” the researchers added.

Older computers that don’t come with UEFI support were infected using a similar tactic, through the MBR (Master Boot Record) with a bootkit first detected in 2014.

Advanced obfuscation and anti-analysis measures

For other malware samples used in the attacks analyzed by Kaspersky, the spyware’s developers also used four layers of obfuscation and anti-analysis measures designed to make FinFisher one of the “hardest-to-detect spywares to date.”

Their efforts were highly effective since the malware samples could evade almost any detection attempt and were virtually impossible to analyze (every sample spotted by Kaspersky required “overwhelming” amounts of work to unscramble).

“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” added Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

“It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect.”

Also Read: Top 11 Ultimate Cold Calling Guidelines To Boost Your Sales

You can find further details and indicators of compromise (IOCs) related to FinFisher’s Windows, Linux, and macOS infection vectors at the end of Kaspersky’s report.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us