ASPENSMONSTER Just another WordPress site

August 8, 2014

FinFisher (Gamma International) Leaked Malware Suite Analysis

Filed under: Uncategorized — aspensmonster @ 8:08 pm

Flattr this!

0: Some notes

This document will be continually updated in the coming days.

UPDATE September 9 2014: Putting this on hold for now. Lots of other demands on my time at the moment.

Several days ago, a hacker operating under the alias PhineasFisher made the following post an the Anarchism subreddit:

This blog post serves as my main/central point from which I hope to analyze the content of these leaks. I have already begun analysis in different spaces:

I’ll likely continue to work in these spaces, but wanted to have a more personal, scratch-pad-like spot to continue to work.

1: Big picture of the leaked content

The hacker has provided his own overview (in a pastebin) of the leaked content.

The torrent file may be downloaded at:

Directory structure (root directory named “finfisher”):

  • Database.sql – A database containing data for the webapp whose root is found at /finfisher/www/GGI
  • qateam – Contains contents of an internal web server –presumably found after initial penetration of the public-facing webserver at— that was serving various mobile malware kits. The directory name seems to imply this was used by their QA team
  • www – Presumably the contents of the public-facing webserver
    • conf – site administration stuff. phpmyadmin, webalyzer
    • ffw – a demo of FinFisher Web / FinSpy Web, demonstrating numerous attack vectors for infecting target machines
    • FinFisher – Appears to be a dropbox of sorts for clients to retrieve their purchased kits; Most content is encrypted (as well as protected by an Apache mod_auth_basic username/password dialog), but there is some truly fascinating material in some of the other directories. The bulk of the size of the torrent can be found in these encrypted “”-type files.
      • Sales – Folder containing several archives of sales tools, tool documentation, company roadmaps, and even a pricelist
        • 05_New_Design.rar – Contains boilerplate business forms, like offer templates for prospective clients, license renewals for current clients, and a (relatively recent) pricelist, dated December 16 2013, that also coincidentally leaks some business-related logic (markups, preferred clients, etc)
        • – Contains lots of information about the company and its offerings, as well as roadmaps that indicate they were actively working on developing Mac and Linux intrusion capabilities in addition to the traditional Windows targets.
      • Engineers7117 – Folder filled with subdirectories and encrypted files. The directory names, as well as the filenames, seem to indicate that much of the (up-to-date) technical documentation of FinFisher/Gamma International’s catalog could be found within these files, were they decrypted.
    • GGI – Appears to be the root directory of the webapp powering the finsupport subdomain. Mostly just php stuff, but a directory named Attachments has unencrypted stuff that Gamma Group’s clients sent to them, presumably through the finsupport website’s support webform.
      • Support – Holds code for the support form
        • Attachments – Holds LOTS of different attachments, possibly named once again with the short keyids of the senders –though an initial search found no matches in public-key servers– that are unencrypted and include images (typically of FinSpy Master C&C servers that are failing to boot due to segfaults), and zip/rar archives that contain server logs for their “FinSpy Master” Command and Control (C&C) server (which, apparently, runs on a Debian GNU/Linux base). LOTS of interesting stuff in these logs, along with some basic insight into how this C&C server works (these logs, combined with diagrams from some of their sales material, can provide an excellent architectural overview of their product catalog).

Not every file is listed. I tried to only include what looked like the more useful bits for analysis.

2: A first look at corporate structure and product offerings

At this point, I will be referencing files found within the torrent by their names, as well as a sha256 hash of the file.

Filename sha256sum -> Gamma Corporate Presentation 2012-02-08_draft.pptx 2993ecb60c48a16e1d07fa207c0bdf5d3f8c1f16ec33253cef01b5285ea25dc1

Slide 2 from the aforementioned file. Diagrams corporate structure.

All of these companies fall under the parent company Gamma Group. See Project PM for more information on the Gamma Group. This leak concerns Gamma International, and focuses on (child company?) Finfisher IT Intrusion’s portfolio of technologies. That portfolio is further introduced in slide 7 of the same file:


High-level overview of the various components of the portfolio.

Further detail on this architecture –specifically, how the components communicate with each other– can be found in several brochures, along with a slide from the following file:

Filename sha256sum -> FinFisher-Presentation-2012-02-08_final.pptx 11ef3578be97cfa29d5d44036a6a307cc2d9fac0139124eaf1af5610e2920d96

Details communications pathways for the FinSpy product family.

Of particular importance is the use of relays throughout the internet to shield targets from the FinSpy Master command and control server. This product suite is architecturally identical to that of typical botnets found in the wild. Where the FinSpy product suite excels is in its coverage of the entire communications chain. Whereas typical botnet operators have only web-based attacks –visit a malicious url, download an infected file– FinFisher IT Intrusion and Gamma International have developed an entire suite of offerings that can be deployed at attack vectors all along the chain for the purposes of compromising the target with malware. The various pieces of software are described in turn in the same powerpoint slideshow file, and are detailed in the next section.

3: Investigating product capabilities

First, an overview of the available products that can be used to compromise target systems:

Product Name Description
FinSpy Mobile Offers ability to compromise target’s mobile phone: BlackBerry, iOS, Android.
FinSpy Refers to the suite of FinFly offerings enumerated below.
FinFly USB Requires direct access to machine. Can extract and infect.
FinFly FireWire Requires direct access to machine. Can extract and infect.
FinFly LAN Requires direct access to the target LAN. Can perform various MITM activities.
FinFly NET Requires that target visit a network that is in the control of the attacker. Can perform various MITM activies.
FinFly ISP Attacks the target’s ISP. Can MITM either before hitting the ISPs core network, or afterward.
FinFly Web Attempts to deploy malware to targets through various web-based attack vectors (See github repo for the code found in the leaks).
FinFly Exploit Portal Basically an online repository of 0-days and 1-days that paying customers can integrate into their attacks on targets and deploy to said targets using various other FinFly offerings.

Gamma International provides a handy suite of brochures that detail these capabilities, previously leaked by Wikileaks as well as more recently by the hacker. The hacker also gained access to some of the software behind the FinSpy Mobile and FinFly Web offerings, as well as customer-provided support documents (images, log files). Utilizing these sources, a more thorough understanding of these products can be obtained than is revealed by the brochures alone. As well, some of the attack vectors have since been uncovered and disclosed publicly –in particular, the FinFly Firewire attack has been revealed since 2012 and largely mitigated.

FinFly Web