FinFisher fingered for Bahrain folk surveillance

Cop trojans come out of the shadows.
  • Liam Tung (CSO Online)
  • — 27 July, 2012 10:06

Security researchers are pointing the finger at German-based UK registered company Gamma International for a spy trojan that was emailed to Bahraini pro-democracy activists.

Researchers at The University of Toronto’s online civil rights group Citizen Lab on Wednesday published its research on malware samples sent to protestors in the Bahrain this April and May.

The researchers said its analysis “suggests” the use of FinSpy, a component of the Finfisher “commercial intrusion kit” distributed by Gamma International.

They point to references “finspyv4.01” and “finspyv2” contained within infected process strings.

“We have linked a set of novel virtualised code obfuscation techniques in our Bahraini samples to another binary that communicates with Gamma International IP addresses,” they said.

“Taken alongside the explicit use of the name “FinSpy” in debug strings found in infected processes, we suspect that the malware is the FinSpy remote intrusion tool.”

Citizen Lab acquired the samples after they were sent to a Bloomberg journalist who forwarded them to the organisation for analysis.

Bahraini citizens were encouraged to open a .rar file email attachment, purportedly sent by Aljazeera journalist Melissa Chan.

Citizen Lab’s analysis revealed the trojan collects and encrypts data from infected machines, which include amongst other data, screenshots, keylog data, Skype call audio files, and passwords.

The discovery of the first samples of FinFisher malware will likely be welcome news to F-Secure researcher Mikko Hypponen who published documents revealing the relationship between Gamma International and the Egyptian Government last March.

The report came ahead of claims that rival Italian-based government surveillance vendor HackingTeam was behind the recent OS X trojan widely known as “Crisis”.

Dr Web, a Russian antivirus firm, on Thursday claimed the malware was actually a sample of the Italian vendor’s work.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Forget BYOD – it's now BYOC

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Secure Virtualization of Business Applications

Run your mission-critical applications in a secure and compliant virtual datacenter, or private cloud.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.