Finspy

Malware updated 3 months ago (2024-11-29T13:36:34.527Z)
Download STIX
Preview STIX
FinSpy is a sophisticated malware developed by Gamma Group, also known as FinFisher or Lench IT Solutions. This malicious software has the ability to record audio, turn on the device's camera, and exfiltrate data from smartphones without the owner's awareness. It is typically delivered through exploit chains in Microsoft Office documents, with the final payload being downloaded from specific IP addresses, such as 89.45.67[.]107. The BlackOasis Advanced Persistent Threat (APT) group has been closely tied to several instances of FinSpy activity, often exploiting zero-day vulnerabilities like the SOAP WSDL parser code injection vulnerability and Adobe Flash Player's CVE-2016-4117 to install the malware onto targeted devices. The use of FinSpy has sparked controversy due to allegations of its sale to authoritarian governments across the world. Civil rights organizations, including Amnesty International, have accused FinFisher of selling this spyware for nefarious purposes. In one notable instance, four FinFisher executives were indicted for evading export controls by selling FinSpy to Turkey's intelligence agency in 2015 via a Bulgarian front company. Recent reports have highlighted the emergence of a new version of FinSpy, which is still under analysis by cybersecurity researchers. This updated version was delivered as part of the same exploit chains, marking one of the earliest known uses of the new variant. Despite the absence of the exact payload details in the Command & Control (C&C) server, multiple FinSpy installation packages were found hosted on it. There has also been a noted shift from FinSpy to another malware, StrongPity2, indicating an evolution in the threat landscape.
Description last updated: 2024-05-04T21:08:04.721Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
FinFisher is a possible alias for Finspy. FinFisher, also known as FinSpy, is a notorious malware developed by the European company FinFisher. This malicious software has been used extensively for cyber espionage, exploiting vulnerabilities in systems to infiltrate and surveil targets, often without their knowledge. The malware infects syst
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Spyware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blacklotus Malware is associated with Finspy. BlackLotus is a harmful malware that targets the Unified Extensible Firmware Interface (UEFI) and Secure Boot systems, exploiting their vulnerabilities to gain persistent kernel access and privileges. It was first detected in 2022 when security researchers discovered a UEFI bootkit being sold on hacUnspecified
2
Source Document References
Information about the Finspy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
23 days ago
DARKReading
3 months ago
Securelist
3 months ago
BankInfoSecurity
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago