FinFisher malware hijacks Windows Boot Manager with UEFI bootkit

Commercially developed FinFisher malware now can infect Windows devices using a UEFI bootkit that it injects in the Windows Boot Manager.

FinFisher (also known as FinSpy and Wingbird) is a surveillance solution developed by Gamma Group that also comes with malware-like capabilities often found in spyware strains.

Its developer says it's sold exclusively to government agencies and law enforcement worldwide, but cybersecurity firms have also detected it while being delivered via spearphishing campaigns and the infrastructure of Internet Service Providers (ISPs).

Evasiveness and persistence powerhouse 

"During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one," Kasperksy researchers revealed today.

"This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence."

UEFI (Unified Extensible Firmware Interface) firmware allows for highly persistent bootkit malware as it's installed within SPI flash storage soldered to computers' motherboard making it impossible to get rid of via hard drive replacement or even OS re-installation.

Bootkits are malicious code planted in the firmware invisible to security solutions within the operating system since it's designed to load before everything else, in the initial stage of a device's booting sequence.

They provide attackers with control over an operating systems' boot process and make it possible to sabotage OS defenses bypassing the Secure Boot mechanism depending on the system's boot security mode (enabling "full boot" or "thorough boot" mod would block the malware as the NSA explains).

Publicly documented attacks and malware using bootkits in the wild are extremely rare — Lojax used by the Russian-backed APT28 hacker group, MosaicRegressor was deployed by Chinese-speaking hackers, TrickBot's TrickBoot module, and Moriya which Chinese-speaking threat actors likely used for espionage since 2018.

"While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine," the researchers added.

Older computers that don't come with UEFI support were infected using a similar tactic, through the MBR (Master Boot Record) with a bootkit first detected in 2014.

Advanced obfuscation and anti-analysis measures

For other malware samples used in the attacks analyzed by Kaspersky, the spyware's developers also used four layers of obfuscation and anti-analysis measures designed to make FinFisher one of the "hardest-to-detect spywares to date."

Their efforts were highly effective since the malware samples could evade almost any detection attempt and were virtually impossible to analyze (every sample spotted by Kaspersky required "overwhelming" amounts of work to unscramble).

"The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive," added Igor Kuznetsov, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT).

"It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect."

You can find further details and indicators of compromise (IOCs) related to FinFisher's Windows, Linux, and macOS infection vectors at the end of Kaspersky's report.