Finspy

FinSpy is a sophisticated malware developed by Gamma Group, also known as FinFisher or Lench IT Solutions. This malicious software has the ability to record audio, turn on the device's camera, and exfiltrate data from smartphones without the owner's awareness. It is typically delivered through exploit chains in Microsoft Office documents, with the final payload being downloaded from specific IP addresses, such as 89.45.67[.]107. The BlackOasis Advanced Persistent Threat (APT) group has been closely tied to several instances of FinSpy activity, often exploiting zero-day vulnerabilities like the SOAP WSDL parser code injection vulnerability and Adobe Flash Player's CVE-2016-4117 to install the malware onto targeted devices. The use of FinSpy has sparked controversy due to allegations of its sale to authoritarian governments across the world. Civil rights organizations, including Amnesty International, have accused FinFisher of selling this spyware for nefarious purposes. In one notable instance, four FinFisher executives were indicted for evading export controls by selling FinSpy to Turkey's intelligence agency in 2015 via a Bulgarian front company. Recent reports have highlighted the emergence of a new version of FinSpy, which is still under analysis by cybersecurity researchers. This updated version was delivered as part of the same exploit chains, marking one of the earliest known uses of the new variant. Despite the absence of the exact payload details in the Command & Control (C&C) server, multiple FinSpy installation packages were found hosted on it. There has also been a noted shift from FinSpy to another malware, StrongPity2, indicating an evolution in the threat landscape.