Having discovered a wave of surveillance campaigns in several countries in summer 2017, ESET researchers dug deep into the samples of FinFisher.
FinFisher, also known as FinSpy, has a history of being used in surveillance campaigns, both against legitimate targets and against political opposition in countries with oppressive regimes.

However, the latest thorough analyses dealt with samples from as long ago as 2010. Since then, the FinFisher spyware received strong anti-analysis measures — this is apparently the reason why the more recent reports about FinFisher don’t go into much technical detail.

In one of the reports, a reputable security company even admitted that due to strong obfuscation, it was not possible to extract the C&C servers.

To be able to start a thorough analysis of how these recent samples work, ESET researchers first had to break through all FinFisher’s protective layers.

To help malware analysts and security researchers overcome FinFisher’s advanced anti-disassembly obfuscation and virtualisation features, they have framed some clever tricks into a whitepaper: “ESET’s guide to deobfuscating and devirtualizing FinFisher”.

“The company behind FinFisher has built a multimillion-dollar business around this spyware — so it comes as no surprise that they put a much bigger effort into hiding and obfuscation than most common cybercriminals,” comments Filip Kafka, ESET malware analyst who leads the analysis of FinFisher. “Our aim is to help our peers analyze FinFisher and thus protect internet users from this threat.”

Kafka expects the FinFisher creators to improve their protections to make FinFisher hard to analyze again. “With their huge resources, there is no doubt FinFisher will receive even better anti-analysis features. However, I expect their additional measures to cost more to implement while being easier to crack for us the next time around.”

ESET’s analysis into FinFisher is ongoing.