FinFisher fingered for Bahrain folk surveillance

Cop trojans come out of the shadows.

Security researchers are pointing the finger at German-based UK registered company Gamma International for a spy trojan that was emailed to Bahraini pro-democracy activists.

Researchers at The University of Toronto’s online civil rights group Citizen Lab on Wednesday published its research on malware samples sent to protestors in the Bahrain this April and May.

The researchers said its analysis “suggests” the use of FinSpy, a component of the Finfisher “commercial intrusion kit” distributed by Gamma International.

They point to references “finspyv4.01” and “finspyv2” contained within infected process strings.

“We have linked a set of novel virtualised code obfuscation techniques in our Bahraini samples to another binary that communicates with Gamma International IP addresses,” they said.

“Taken alongside the explicit use of the name “FinSpy” in debug strings found in infected processes, we suspect that the malware is the FinSpy remote intrusion tool.”

Citizen Lab acquired the samples after they were sent to a Bloomberg journalist who forwarded them to the organisation for analysis.

Bahraini citizens were encouraged to open a .rar file email attachment, purportedly sent by Aljazeera journalist Melissa Chan.

Citizen Lab’s analysis revealed the trojan collects and encrypts data from infected machines, which include amongst other data, screenshots, keylog data, Skype call audio files, and passwords.

The discovery of the first samples of FinFisher malware will likely be welcome news to F-Secure researcher Mikko Hypponen who published documents revealing the relationship between Gamma International and the Egyptian Government last March.

The report came ahead of claims that rival Italian-based government surveillance vendor HackingTeam was behind the recent OS X trojan widely known as “Crisis”.

Dr Web, a Russian antivirus firm, on Thursday claimed the malware was actually a sample of the Italian vendor’s work.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about BloombergCitizen Watches AustraliaF-SecureSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place