BEWARE FINSPY-FINFISHER ATTACKS by YOUTUBE!!!!!
YouTube is currently making its content more "relevent" and "timely" by exporting "your" RECENT-FILE-HISTORY list, from "your" laptop-pc-other-device; and the files-themselves over-the-net, possibly even while you're "watching." This has been happening with most of the shows I've been watching here; but I was convinced this morning by one of the "community-death squad-assassins" who patrol our neighborhoods. You know the guys & girls who wear red and black all the time.
*The above photo depicts the "style" of dress, typically worn by "community-assassins." This is NOT fashion, it is a DEATH THREAT!!! You shouldn't speak to these people, answer their questions, or cooperate with them, especially against ANY OTHER PERSON!
Well this so-and-so comes patrolling-by, wearing a big red-and-black swastika on his shirt and flashes "me-personally" the NAZI salute. Well, it just so happens that I was viewing NAZI-COS-PLAY "AMINE,' the stuff with the Japanese girls with big tits wearing swastikas, on my laptop the night before while connected to the net. I mean, I can't proove it; but I've been suspecting this for some time; and my encrypted cell phone provider just sent me a "FinSpy-FinFisher" warning about 90 days ago.
**TURN OFF YOUR RECENT FILE HISTORY!!!!! OK!!!!!
Sent at: 8/7/2019 10:01 :34 AM
Combing the monitoring worlds of G3, GSM, CYBER, Wi-Fi,
OSINT & GEO LOCATION
From : ******************************************
To: **********************************************************
AUGUST 07, 2019: ISSUE #856
THE HYDRA 2020
THE NEW HSS HYDRA 2020
An all-encompassing platform
combining the monitoring worlds of
3G, GSM, CYBER, Wi-Fi, OSINT & GEO LOCATION
A most advanced, proprietary ombudsman of counter terrorist solutions
featuring intercepting, monitoring, decrypting, geo-location, data analysis
plus so much more.
In one comp lete multi-headed p latform you can now Intercept, monitor,
collect and analyze data from ...
WhatsApp, FB Messenger, Viber , Signal and other social media platforms
Satellite telephone communications
Cellular communications via Active GSM Field Intercep tion and IMSI/IMEICatchers and passive GSM Intercept
Cell traffic, VOICE and SMS and perform Remote Phone Manipulations
ADDITIONAL FEATURES
RF Detection, intercepting and jamming phone, drone, + RF signals
Intelligence gathering utilizing GSM and WIFI Tactical
Interception.
Geo Intelligence; video to 3D mapping solution with OSINT, Big Data
analysis & Geo-location Vehicle direction finding
Personal GSM finder and locator; track targets around the country
Collect MAC for WIFI tracking, phone numbers for OSINT, Voice
Print & Gender IDs
DONT MISS OUT ON THE FEATURED
WhatsApp DEMONSTRATION KIT
Looking for a powerful solution to capture WhatsApp messages?
Penetrate cellular defenses
Generate effective access to Target devices
Perform interception of their data communications
Operate in 'new' locations, without requiring any integration
Extract data from phones
Capture cell phones and windows 10 remotely
Unlimited infections/intercepts
Can control 10 phones at any one time
For trial rental to authorized law enforcement agencies only
CONTACT ME. JOE PORTER
Questions?
Contact us today
ABOUT
*** designs and builds advanced RF solutions for both Law Enforcement and Defense industries. For
more information, demonstrations, or Reseller O pportunities, Contact Us.
Some of the technologies mentioned herein may be restricted to Government Agencies only, and
are mentioned for informational purposes. Contact us for more information.
Legal Notice: This email is intended only as a proprietary notice and does not constitute and offer to sell
surreptitious intercept devices or technologies. Such information or offer can only be made by an official
Homeland Security Strategies pro-forma invoice signed by an authorized agent of *** and furthermore,
in the United States, must be a Law Enforcement Agency or political subdivision of the United States
Government; in compliance with the US code Title 18 Section 2512. Available to authorized agencies and
their authorized vendors only.
Legal Notice: This email is intended only as a proprietary notice and does not constitute an offer to sell
RF Jammer and or Bomb Jammer TM systems - equipment. In addition, all Jamming devices in part or
whole are strictly regulated by the US Department of State in accordance with the guidelines in the
International Traffic in Arms (!TAR) per title 22, Code of Federal Regulations (CFR), Parts 120-130 . Any
such offer can only be made by an official HSS proforma invoice signed by an authorized agent of ***
conforming to US code Title 22, Parts 120 - 130 .... Available to authorized agencies only.
You are receiving this message because you have inquired with one of our 4 web sites containing Law
Enforcement systems at either **** Technologies or *** or have specifically been referred to us.
Please expect one to two messages per month with timely information about our technologies and
applications. Should you choose not to receive future messages, please follow the iContact instructions
below.
Manage Your Subscription
This message was sent **************** from ***************************Defense News
Homeland Security *****************
FINSPY
FinSpy is a field-proven Remote Monitoring Solution that enables Governments to face the current challenges of monitoring Mobile and Security-Aware Targets that regularly change location, use encrypted and anonymous communication channels and reside in foreign countries. FinSpy provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory (recent file list) and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS messages or via the internet. Personal data including contacts, messages, audios and videos, can be exfiltrated from most popular messengers.
According to information on its official website, FinFisher, among other tools and services, provides a “strategic wide-scale interception and monitoring solution”. This software (also known as FinSpy) is used to collect a variety of private user information on various platforms. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then xxxxx Technologies has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at xxxxx Technologies looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory (recent file list), phone call recordings and data from the most popular messengers.
Malware features
The Android implant is capable of gaining root privileges on an unrooted device by abusing the "DirtyCow" exploit, which is contained in the malware. FinSpy Android samples have been known for a few years now. Based on the certificate data of the last version found, the sample was deployed in "June 2019."
FinSpy
The Android implant’s functionality is unlikely to change much, based on the fact that most of the configuration parameters are the same in the old and new versions. The variety of available settings makes it possible to tailor the behavior of the implant for every victim. For example, operators can choose the preferred communication channels or automatically disable data transfers while the victim is in roaming mode. All the configuration data for an infected Android device (including the location of the control server) is embedded in the implant and used afterwards, but some of the parameters can be changed remotely by the operator. The configuration data is stored in compressed format, split into a set of files in the assets directory of the implant apk. After extracting all pieces of data and building the configuration file, it’s possible to get all the configuration values. Each value in the configuration file is stored after the little-endian value of its size, and the setting type is stored as a hash.
FinSpy
For example, the following interesting settings found in the configuration file of the developer build of the implant can be marked: mobile target ID, proxy ip-address, proxy port, phone number for remote SMS control, unique identifier of the installed implant.
As in the case of the iOS implant, the Android version can be installed manually if the attacker has physical access to the device, and by remote infection vectors: SMS messages, emails and WAP Push. After successful installation, the implant tries to gain root privileges by checking for the presence of known rooting modules "SuperSU" and "Magisk" and running them. If no utilities are present, the implant decrypts and executes the "DirtyCow" exploit, which is located inside the malware; and if it successfully manages to get root access, the implant registers a custom "SELinux" policy to get full access to the device and maintain root access. If it used SuperSU, the implant modifies SuperSU preferences in order to silence it, disables its expiry and configures it to autorun during boot. It also deletes all possible logs including SuperSU logs.
The implant provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory (recent file list) and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS messages or via the internet (the C2 server location is stored in the configuration file). Personal data, including contacts, messages, audios and videos, can be exfiltrated from most popular messengers. Each of the targeted messengers has its own unified handling module, which makes it easy to add new handlers if needed.
The full hardcoded list of supported messengers is shown below:
Package name Application name
com.bbm BBM (BlackBerry Messenger)
com.facebook.orca Facebook Messenger
com.futurebits.instamesssage.free InstaMessage
jp.naver.line.android Line Messenger
org.thoughtcrime.securesms Signal
com.skype.raider Skype
org.telegram.messenger Telegram
ch.threema.app Threema
com.viber.voip Viber
com.whatsapp WhatsApp
At first, the implant checks that the targeted messenger is installed on the device (using a hardcoded package name) and that root access is granted. After that, the messenger database is prepared for data exfiltration. If necessary, it can be decrypted with the private key stored in its private directory, and any required information can simply be queried:
FinSpy
All media files and information about the user are exfiltrated as well.
FinSpy
Infrastructure
FinSpy
FinSpy implants are controlled by the FinSpy Agent (operator terminal). By default, all implants are connected to FinSpy anonymizing proxies (also referred to as FinSpy Relays) provided by the spyware vendor. This is done to hide the real location of the FinSpy Master. As soon as the infected target system appears online, it sends a heartbeat to the FinSpy Proxy. The FinSpy Proxy forwards connections between targets and a master server. The FinSpy Master server manages all targets and agents and stores the data. Based on decrypted configuration files, our experts were able to find the different relays used by the victims and their geographical location. "Most of the relays we found are concentrated in "Europe," with some in "South-East-Asia" and the "USA.""
Conclusion
FinSpy mobile implants are advanced malicious spy tools with diverse functionality. Various configuration capabilities provided by the spyware vendor in their product enable the FinSpy terminal (FinSpy Agent) operators to tailor the behavior of each implant for a particular victim and effectively conduct surveillance, exfiltrating sensitive data such as GPS location, contacts, calls and other data from various instant messengers and the device itself.
The Android implant has functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that this spyware solution doesn’t provide infection exploits for its customers, as their product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. That might imply physical access to the victim in cases where devices are not already jailbroken. At the same time, multiple features that we haven’t observed before in malware designed for this platform are implemented.
Since the leak in 2014, the FinSpy developers have recreated significant parts of its implants, extended supported functionality (for example, the list of supported instant messengers has been significantly expanded) and at the same time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it possible to retain its position in the market.
Overall, during the research, up-to-date versions of these implants used in the wild were detected in almost 20 countries, although the total number could be higher.
FinSpy developers are constatly working on the updates for their malware. At the time of publication, xxxxx Technologies researchers have found another version of the threat and are currently investigating this case.