Developers behind the notorious commercial FinSpy surveillance tool have added a new improvement to the software that allows it to hijack and replace the Windows UEFI (Unified Extensible Firmware Interface) bootloader to infect the target machines without being detected by security solutions.

The discovery was made by Kaspersky researchers during an 8-months investigation into FinSpy (aka FinFisher/Wingbird) spyware, which they have been tracking since 2011. The software's Windows desktop-based implants were detected in 2011, and in 2014, FinSpy samples were observed packing Master Boot Record (MBR) bootkits.

However, since 2018, the researchers noticed a decrease in detection rate of FinSpy for Windows, and in 2019 they found upgraded Android and iOS samples.

"During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates the original Windows Boot Manager. It is stored inside the efi\microsoft\boot\en-us\ directory, with the name consisting of hexadecimal characters. This directory contains two more files: the Winlogon Injector and the Trojan Loader," the researchers said.

“Once the original bootloader is located, it is loaded into memory, patched, and launched. This way of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks,” they added.

While previous FinSpy versions contained the trojan in the infected application right away, Kaspersky found the new samples protected by two components: a non-persistent pre-validator and a post-validator.

“The first component runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher. Only when the checks pass, is the post-validator component provided by the server – this component ensures that the infected victim is the intended one. Only then would the server command deployment of the full-fledged Trojan platform,” Kaspersky explained.

FinFisher is heavily obfuscated with four complex custom-made obfuscators. The primary function of this obfuscation is to slow down the analysis of the spyware.

The researchers also noticed that when the spyware targets machines that do not support UEFI, the infections involve the use of the MBR (Master Boot Record).

“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” said Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

“It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect. The fact that this spyware is deployed with high precision and is practically impossible to analyze also means that its victims are especially vulnerable, and researchers face a special challenge – having to invest an overwhelming amount of resources into untangling each and every sample. I believe complex threats such as FinFisher demonstrate the importance for security researchers to cooperate and exchange knowledge as well as invest in new types of security solutions that can combat such threats.”