ESET security researchers say that Internet providers at least two countries help to spread very dangerous Spyware FinFisher.
Spyware FinFisher, also known as FinSpy, was created many years ago by Gamma Group International from Germany, and its sales managed by a subsidiary company Gamma Group in the UK. Mainly FinFisher is distributed to government agencies and law enforcement agencies of different countries, but Gamma Group repeatedly caught on selling its solutions to countries with totalitarian regimes, so the experts have long considered this software as very dangerous malware.
Spyware FinFisher is a classic example of spyware, can include cameras and microphones on an infected machine, intercept keystrokes, steal files, eavesdrop calls through Skype and so on.
Typically, Spyware FinFisher is distributed in the same way as another malware, through directed phishing, 0-day exploits, drive-by downloads, watering hole attacks, etc. But now the researchers of ESET state that FinFisher is entering a new level, and Internet providers at least two countries have joined to distribution.
Since the Internet providers can monitor their customer’s traffic, they use this opportunity to implement specific MitM attacks. When a user tries to download a certain program, then they redirected to a hidden malicious version of this software containing FinFisher. To do this, Internet providers use HTTP 307 Temporary Redirect.
According to the researchers, this way Internet providers substitute such known applications as WhatsApp, Skype, Avast, WinRAR, VLC Player and many others. Analysts ESET do not disclose the names of these provider companies so as not to expose anyone to danger.
It is worth noting that documents published by Wikileaks confirm the conclusions of ESET. According to these documents (PDF), one of the Spyware FinFisher packages (FinFly ISP), distributed by the Gamma Group, is intended for installation at the level of Internet providers.
How to check if my computer has been infected? Or I being spied on?
All ESET products detect and block this threat as Win32/FinSpy.AA and Win32/FinSpy.AB. Using ESET’s Free Online Scanner, you can check your computer for its presence and remove it if detected.