ESET researchers have detected surveillance campaigns utilizing a new variant of FinFisher, the infamous spyware also known as FinSpy. Seven countries are affected (to avoid putting anyone in danger, ESET will not name them) and in two of them, major internet providers have most likely been involved in infecting the targets of surveillance.

“In two of the campaigns, the spyware has been spread via a man-in-the-middle attack and we believe that major internet providers have played the role of the man in the middle,” explains Filip Kafka, the ESET Malware Analyst who conducted the research.

FinFisher is spyware marketed as a law enforcement tool and sold to governmental agencies around the world. It is also believed to have been used by oppressive regimes.

FinFisher spyware has extensive spying capabilities, such as live surveillance through webcams and microphones, keylogging, and exfiltration of files. It has received a number of improvements in its latest version, aimed at improving its spying capabilities, staying under the radar and preventing analysis. The most important innovation, however, is the way in which the surveillance tool is delivered to targeted computers.

When a targeted user is about to download one of several popular applications such as WhatsApp, Skype or VLC Player, they are redirected to the attacker’s server. There, they are served a trojanized installation package infected with FinFisher.

“During the course of our investigations, we found a number of indicators that suggest the redirection is happening at the level of a major internet provider’s service,” comments Filip Kafka.

According to Kafka, these campaigns are the first where the probable involvement of a major internet provider in spreading malware has been publicly disclosed.

“These FinFisher campaigns are sophisticated and stealthy surveillance projects, unprecedented in their combination of methods and reach.” 

For further details, read Filip Kafka’s article at ESET’s security blog, WeLiveSecurity.com. In the past, WeLiveSecurity.com has published a number of articles on FinFisher-based campaigns.

Note for editors:
With FinFisher, so-called government malware and the security industry’s approach to it returns to the spotlight. For ESET, there is no such thing as good malware; please read ESET’s response to an open letter by Bits of Freedom, a digital rights activist group.