FinFisher fingered for Bahrain folk surveillance

Cop trojans come out of the shadows.

Security researchers are pointing the finger at German-based UK registered company Gamma International for a spy trojan that was emailed to Bahraini pro-democracy activists.

Researchers at The University of Toronto’s online civil rights group Citizen Lab on Wednesday published its research on malware samples sent to protestors in the Bahrain this April and May.

The researchers said its analysis “suggests” the use of FinSpy, a component of the Finfisher “commercial intrusion kit” distributed by Gamma International.

They point to references “finspyv4.01” and “finspyv2” contained within infected process strings.

“We have linked a set of novel virtualised code obfuscation techniques in our Bahraini samples to another binary that communicates with Gamma International IP addresses,” they said.

“Taken alongside the explicit use of the name “FinSpy” in debug strings found in infected processes, we suspect that the malware is the FinSpy remote intrusion tool.”

Citizen Lab acquired the samples after they were sent to a Bloomberg journalist who forwarded them to the organisation for analysis.

Bahraini citizens were encouraged to open a .rar file email attachment, purportedly sent by Aljazeera journalist Melissa Chan.

Citizen Lab’s analysis revealed the trojan collects and encrypts data from infected machines, which include amongst other data, screenshots, keylog data, Skype call audio files, and passwords.

The discovery of the first samples of FinFisher malware will likely be welcome news to F-Secure researcher Mikko Hypponen who published documents revealing the relationship between Gamma International and the Egyptian Government last March.

The report came ahead of claims that rival Italian-based government surveillance vendor HackingTeam was behind the recent OS X trojan widely known as “Crisis”.

Dr Web, a Russian antivirus firm, on Thursday claimed the malware was actually a sample of the Italian vendor’s work.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about BloombergCitizen Watches AustraliaF-SecureSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts