FinFisher fingered for Bahrain folk surveillance

Cop trojans come out of the shadows.

Security researchers are pointing the finger at German-based UK registered company Gamma International for a spy trojan that was emailed to Bahraini pro-democracy activists.

Researchers at The University of Toronto’s online civil rights group Citizen Lab on Wednesday published its research on malware samples sent to protestors in the Bahrain this April and May.

The researchers said its analysis “suggests” the use of FinSpy, a component of the Finfisher “commercial intrusion kit” distributed by Gamma International.

They point to references “finspyv4.01” and “finspyv2” contained within infected process strings.

“We have linked a set of novel virtualised code obfuscation techniques in our Bahraini samples to another binary that communicates with Gamma International IP addresses,” they said.

“Taken alongside the explicit use of the name “FinSpy” in debug strings found in infected processes, we suspect that the malware is the FinSpy remote intrusion tool.”

Citizen Lab acquired the samples after they were sent to a Bloomberg journalist who forwarded them to the organisation for analysis.

Bahraini citizens were encouraged to open a .rar file email attachment, purportedly sent by Aljazeera journalist Melissa Chan.

Citizen Lab’s analysis revealed the trojan collects and encrypts data from infected machines, which include amongst other data, screenshots, keylog data, Skype call audio files, and passwords.

The discovery of the first samples of FinFisher malware will likely be welcome news to F-Secure researcher Mikko Hypponen who published documents revealing the relationship between Gamma International and the Egyptian Government last March.

The report came ahead of claims that rival Italian-based government surveillance vendor HackingTeam was behind the recent OS X trojan widely known as “Crisis”.

Dr Web, a Russian antivirus firm, on Thursday claimed the malware was actually a sample of the Italian vendor’s work.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Authentication

RSA offers a wide range of strong two-factor authentication solutions to help organizations assure user identities and meet compliance requirements.

Latest Jobs
Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.