ASPENSMONSTER Just another WordPress site

0: Some notes

This document will be continually updated in the coming days.

UPDATE September 9 2014: Putting this on hold for now. Lots of other demands on my time at the moment.

Several days ago, a hacker operating under the alias PhineasFisher made the following post an the Anarchism subreddit: http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked/.

This blog post serves as my main/central point from which I hope to analyze the content of these leaks. I have already begun analysis in different spaces:

• Reddit: http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked/cjjun4d (leaker provided short public keyids of various customers; these can also be found in the leaked materials)
• Github: https://github.com/FinFisher/FinFly-Web/pull/4 (Initial analysis of the Firefox browser addon/extension attack vector –one of several attack vectors collectively known as “FinFly Web”– that is meant to ultimately get the target to execute a payload)
• Project PM: http://wiki.project-pm.org/wiki/FinFisher_2014_Leaks (Eventually, should have more semantic data that links various customers, providers, and other related players in the industry)

I’ll likely continue to work in these spaces, but wanted to have a more personal, scratch-pad-like spot to continue to work.

1: Big picture of the leaked content

The hacker has provided his own overview (in a pastebin) of the leaked content.

The torrent file may be downloaded at: http://aspensmonster.com/finfisher.torrent

Directory structure (root directory named “finfisher”):

• Database.sql – A database containing data for the webapp whose root is found at /finfisher/www/GGI
• qateam – Contains contents of an internal web server –presumably found after initial penetration of the public-facing webserver at http://finsupport.finfisher.com— that was serving various mobile malware kits. The directory name seems to imply this was used by their QA team
• www – Presumably the contents of the public-facing webserver
• conf – site administration stuff. phpmyadmin, webalyzer
• ffw – a demo of FinFisher Web / FinSpy Web, demonstrating numerous attack vectors for infecting target machines
• FinFisher – Appears to be a dropbox of sorts for clients to retrieve their purchased kits; Most content is encrypted (as well as protected by an Apache mod_auth_basic username/password dialog), but there is some truly fascinating material in some of the other directories. The bulk of the size of the torrent can be found in these encrypted “Package.zip.gpg”-type files.
• Sales – Folder containing several archives of sales tools, tool documentation, company roadmaps, and even a pricelist
• 05_New_Design.rar – Contains boilerplate business forms, like offer templates for prospective clients, license renewals for current clients, and a (relatively recent) pricelist, dated December 16 2013, that also coincidentally leaks some business-related logic (markups, preferred clients, etc)
• GammaSalesKit.zip – Contains lots of information about the company and its offerings, as well as roadmaps that indicate they were actively working on developing Mac and Linux intrusion capabilities in addition to the traditional Windows targets.
• Engineers7117 – Folder filled with subdirectories and encrypted files. The directory names, as well as the filenames, seem to indicate that much of the (up-to-date) technical documentation of FinFisher/Gamma International’s catalog could be found within these files, were they decrypted.
• GGI – Appears to be the root directory of the webapp powering the finsupport subdomain. Mostly just php stuff, but a directory named Attachments has unencrypted stuff that Gamma Group’s clients sent to them, presumably through the finsupport website’s support webform.
• Support – Holds code for the support form
• Attachments – Holds LOTS of different attachments, possibly named once again with the short keyids of the senders –though an initial search found no matches in public-key servers– that are unencrypted and include images (typically of FinSpy Master C&C servers that are failing to boot due to segfaults), and zip/rar archives that contain server logs for their “FinSpy Master” Command and Control (C&C) server (which, apparently, runs on a Debian GNU/Linux base). LOTS of interesting stuff in these logs, along with some basic insight into how this C&C server works (these logs, combined with diagrams from some of their sales material, can provide an excellent architectural overview of their product catalog).

Not every file is listed. I tried to only include what looked like the more useful bits for analysis.

2: A first look at corporate structure and product offerings

At this point, I will be referencing files found within the torrent by their names, as well as a sha256 hash of the file.

Slide 2 from the aforementioned file. Diagrams corporate structure.

All of these companies fall under the parent company Gamma Group. See Project PM for more information on the Gamma Group. This leak concerns Gamma International, and focuses on (child company?) Finfisher IT Intrusion’s portfolio of technologies. That portfolio is further introduced in slide 7 of the same file:

High-level overview of the various components of the portfolio.

Further detail on this architecture –specifically, how the components communicate with each other– can be found in several brochures, along with a slide from the following file:

Details communications pathways for the FinSpy product family.

Of particular importance is the use of relays throughout the internet to shield targets from the FinSpy Master command and control server. This product suite is architecturally identical to that of typical botnets found in the wild. Where the FinSpy product suite excels is in its coverage of the entire communications chain. Whereas typical botnet operators have only web-based attacks –visit a malicious url, download an infected file– FinFisher IT Intrusion and Gamma International have developed an entire suite of offerings that can be deployed at attack vectors all along the chain for the purposes of compromising the target with malware. The various pieces of software are described in turn in the same powerpoint slideshow file, and are detailed in the next section.

3: Investigating product capabilities

First, an overview of the available products that can be used to compromise target systems:

Gamma International provides a handy suite of brochures that detail these capabilities, previously leaked by Wikileaks as well as more recently by the hacker. The hacker also gained access to some of the software behind the FinSpy Mobile and FinFly Web offerings, as well as customer-provided support documents (images, log files). Utilizing these sources, a more thorough understanding of these products can be obtained than is revealed by the brochures alone. As well, some of the attack vectors have since been uncovered and disclosed publicly –in particular, the FinFly Firewire attack has been revealed since 2012 and largely mitigated.

FinFly Web

See: https://github.com/FinFisher/FinFly-Web