Analysis of the Finfisher lawful interception malware

Jump to navigation Jump to search

(Publication) Google search: [1]

Analysis of the Finfisher lawful interception malware
Botnet Finfisher
Malware Finfisher (bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
CCProtocol HTTP
Date 2012 / 08 aug2012
Editor/Conference Rapid7
Link (Archive copy)
Author Claudio Guarnieri


It's all over the news once again: lawful interception malware discovered in the wild being used by government organizations for intelligence and surveillance activities. We saw it last year when the Chaos Computer Club unveiled a trojan being used by the federal government in Germany, WikiLeaks released a collection of related documents in the Spy Files, we read about an alleged offer from Gamma Group to provide the toolkit FinFisher to the Egyptian government, and we are reading once again now with the same one being delivered to human rights activists in Bahrain along with some spearphishing attacks. We all are very aware of a rising market of Western companies developing and selling malware for the use of government organizations all around the world, but whenever one of these products is found in other geographical areas, the potential political and ethical implications tend to generate interest. While I'm trying to provide context for the analysis below, it's not in the scope of this article to digress into the political context of the incident. We are security practitioners interested in technology and when dealing with malware, which in this case can be easily prone to abuses, we want to understand what they do, what's the spread and how we can respond.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1121,
   editor = {Rapid7},
   author = {Claudio Guarnieri},
   title = {Analysis of the Finfisher lawful interception malware},
   date = {08},
   month = Aug,
   year = {2012},
   howpublished = {\url{}},