The FinFisher Suite is described by its distributors, Gamma International UK Ltd., as “Governmental IT Intrusion and Remote Monitoring Solutions.” 1 The toolset first gained notoriety after it was revealed that the Egyptian Government’s state security apparatus had been involved in negotiations with Gamma International UK Ltd. over the purchase of the software. Promotional materials have been leaked that describe the tools as providing a wide range of intrusion and monitoring capabilities.2 Despite this, however, the toolset itself has not been publicly analyzed.
This post contains analysis of several pieces of malware obtained by Vernon Silver of Bloomberg News that were sent to Bahraini pro-democracy activists in April and May of this year. The purpose of this work is identification and classification of the malware to better understand the actors behind the attacks and the risk to victims. In order to accomplish this, we undertook several different approaches during the investigation.
As well as directly examining the samples through static and dynamic analysis, we infected a virtual machine (VM) with the malware. We monitored the filesystem, network, and running operating system of the infected VM.
This analysis suggests the use of “Finspy”, part of the commercial intrusion kit, Finfisher, distributed by Gamma International.
