Security researchers are pointing the finger at German-based UK registered company Gamma International for a spy trojan that was emailed to Bahraini pro-democracy activists.
Researchers at The University of Toronto’s online civil rights group Citizen Lab on Wednesday published its research on malware samples sent to protestors in the Bahrain this April and May.
The researchers said its analysis “suggests” the use of FinSpy, a component of the Finfisher “commercial intrusion kit” distributed by Gamma International.
They point to references “finspyv4.01” and “finspyv2” contained within infected process strings.
“We have linked a set of novel virtualised code obfuscation techniques in our Bahraini samples to another binary that communicates with Gamma International IP addresses,” they said.
“Taken alongside the explicit use of the name “FinSpy” in debug strings found in infected processes, we suspect that the malware is the FinSpy remote intrusion tool.”
Citizen Lab acquired the samples after they were sent to a Bloomberg journalist who forwarded them to the organisation for analysis.
Bahraini citizens were encouraged to open a .rar file email attachment, purportedly sent by Aljazeera journalist Melissa Chan.
Citizen Lab’s analysis revealed the trojan collects and encrypts data from infected machines, which include amongst other data, screenshots, keylog data, Skype call audio files, and passwords.
The discovery of the first samples of FinFisher malware will likely be welcome news to F-Secure researcher Mikko Hypponen who published documents revealing the relationship between Gamma International and the Egyptian Government last March.
The report came ahead of claims that rival Italian-based government surveillance vendor HackingTeam was behind the recent OS X trojan widely known as “Crisis”.
Dr Web, a Russian antivirus firm, on Thursday claimed the malware was actually a sample of the Italian vendor’s work.