Author Topic: Turkmenistan and Oman Negotiated to Buy Spy Software: Wikileaks  (Read 5707 times)

0 Members and 1 Guest are viewing this topic.

Offline mayya

  • Administrator
  • *****
  • Posts: 7874
Turkmenistan and Oman Negotiated to Buy Spy Software: Wikileaks
« on: September 05, 2013, 00:18:01 AM »


Turkmenistan and Oman Negotiated to Buy Spy Software: Wikileaks

by Pratap Chatterjee, Special to CorpWatch
September 4th, 2013



FinFisher Contract Document Cover. Released by Wikieaks


Turkmenistan and Oman have been negotiating with a consortium of British, German and Swiss companies to buy “FinFisher” software to spy on phone calls and Internet activity of unsuspecting targets, according to a new trove of documents just released by Wikileaks, the global whistleblowing organization.

Previously released promotional materials for FinFisher - a suite of software products manufactured by Gamma International, a UK company – claim that it can track locations of cell phones, break encryption to steal social media passwords, record calls including Skype chats, remotely operate built-in web cams and microphones on computers and even log every keystroke made by a user.

The new Wikileaks release includes contracts with the two countries that appear to be drawn up by Dreamlab Technologies in Bern, Switzerland, and Gamma International offices in Munich, Germany. If the documents are real, they will confirm claims by activists and researchers that the companies have attempted to sell surveillance software to governments with a decidedly mixed record on human rights.

"The corporate surveillance industry works hand in hand with governments throughout the world to enable illegitimate spying on citizens,” said Julian Assange, the editor in chief of WikiLeaks, in a statement issued with the documents. “WikiLeaks is committed to exposing and educating about this industry, with the goal that together we can build the understanding and the tools to protect ourselves, and each other, from its gaze."

Egypt

Gamma first came to public notice when similar contract documents for its FinFisher software were discovered by Egyptian human rights activists inside the headquarters of former dictator Hosni Mubarak’s State Security Investigations service, which was notorious for repressing dissidents. The activists broke into the building after Mubarak was toppled in the Arab Spring uprisings in 2011 and found Egyptian evaluations of Gamma technology stored alongside hundreds of police batons and other equipment used for torture.

While Gamma did not deny that the FinFisher technology had been tested by the Egyptian government, the company did release a carefully worded statement saying that it had never “supplied any of its FinFisher suite of products or related training etc to the Egyptian government."

The new Wikileaks documents shed light on two projects that appear to have gone much further.

Turkmenistan



According to the new company documents released by Wikileaks, Nicolas Mayencourt, the CEO of Dreamlab, took a trip to Turkmenistan in 2010 with Thomas Fischer of Gamma International, with the objective of helping the government build “an Infection Proxy Infrastructure and Solution applicable nationwide for all international traffic the Turkmentel and TMCell networks” ie a way to monitor calls on the national mobile phone network.

An initial proposal was submitted to the Turkmen government by the two companies on October 11, 2010, according to the documents released by Wikileaks, followed by a revised 61 page agreement between Fischer and Mayencourt dated December 13, 2010 titled “Infection Proxy Project 1.”

The documents include an invoice from Dreamlab to Gamma for 874,819.70 Swiss Francs ($789,000) for a custom designed hardware package of Cisco switches, HP computers and Intel adaptors to be installed in the country together with Gamma software named FinSpy and FinFly, that comprise the FinFisher suite.

It is not clear from the documents if Turkmenistan actually signed the contract.

But Bill Marczak, a research fellow at Citizen Lab and a PhD student at the University of California at Berkeley, who has published several reports on government spying technology, says that his prior research showed that FinFisher software was deployed on a Turkmenistan ministry of communications server last August.

On September 3, 2013, Marczak ran a check that confirmed that the software was still in place, and reviewed the company contracts for CorpWatch.

“The Turkmenistan documents match our finding of a FinSpy server on a network belonging to the Turkmenistan government,” Marczak said. “Gamma provides spyware … that gets injected into downloaded files and viewed webpages. DreamLab provides the hardware and software components necessary for the injection to work: the "infection proxy" that actually performs the injection of the spyware by rewriting webpages and files on-the-fly (hence the name "FinFly"), and hardware and software to target people based on DSL/cable/dial-up account names, mobile phone numbers etc.”

What makes the software “sneaky” is that it allows the Turkmen government to inject spyware into trusted webpages that are otherwise benign, says Marczak.

Other data released by Wikileaks shows that Holger Rumscheidt, the managing director of Elaman, a German reseller for Gamma, made a four day trip to Turkmenistan this past January, and another two day trip in mid-June. (Gamma offers two annual maintenance visits as part of the annual license fee)

Turkmenistan’s surveillance of its citizens has been documented in the past. “Servers … registered to the Ministry of Communications operated software that allowed the government to record Voice over Internet Protocol conversations, turn on cameras and microphones, and log keystrokes,” notes the most recent U.S. State department report on human rights in the country.

In addition to tracking its citizens, Turkmenistan government has long occupied one of the lowest ratings in the world for human right, according to activist groups like Amnesty and Human Rights Watch. “The country is virtually closed to independent scrutiny, media and religious freedoms are subject to draconian restrictions, and human rights defenders and other activists face the constant threat of government reprisal,” says the New York-based Human Rights Watch in its 2013 report on the country. “The government continues to use imprisonment as a tool for political retaliation.”

Oman

Gamma and Dreamlab also apparently collaborated in Oman.

The Wikileaks documents also show that Mayencourt of Dreamlab sent Fischer of Gamma an invoice for 408,743.55 Swiss Francs ($369,000) on June 12, 2010, for a very similar project to be installed in the Middle Eastern country. Payment was authorized by Stephan Oelkers of Gamma.

A subsequent 41 page agreement between Fischer and Mayencourt dated December 21, 2010 lays out the details for the “Monitoring system for iproxy-project” in Oman.

Marczak says that while the documents make it clear that the system is up and running, he has not identified FinFisher technology on any Omani servers yet.

The Omani government has also been criticized by activist groups like Human Rights Watch, which reported that authorities “restricted the freedoms of association and assembly, both in law and in practice.”

The latest U.S. State department report on Oman says that 32 individuals “received prison sentences for directly or indirectly criticizing the sultan in online fora and at peaceful protests” noting that three individuals, Mona Hardan, Talib al-Abry, and Mohammed al-Badi were imprisoned for 18 months for Facebook postings and Twitter comments deemed critical of the sultan.


 Spying Is Cheaper By The Dozen

 Newly released Wikileaks documents provide a fascinating insight into the cost of tracking people with Gamma’s Finfisher software suite.

A 2011 price manual  offers governments FinSpy software at four price levels, starting at €80,000 ($104,000) for up to 10 targets at the entry level, but the price drops dramatically for the “open” level which allows clients to target as many at 500 individuals for €200,000 ($260,000).

Additional options include a voice recording server at €20,000 ($26,000) and several different kinds of five day “intrusion” training modules either in the customer’s country or in Munich, Germany, for two to four students for €15,700 to €20,250. ($15,700 to $26,325)




Formal Complaint

 Gamma’s sale of surveillance software to repressive regimes is currently the subject of formal complaint to the Organization for Economic Cooperation and Development (OECD) by Privacy International, the European Center for Constitutional and Human Rights and Reporters Without Borders.

“Unregulated trade with surveillance technologies in authoritarian states is one of the biggest threats to press freedom and human rights work on the Internet,” said Christian Mihr, Executive Director of Reporters Without Borders Germany when the groups filed their complaint on February 1 this year. “Exports of such digital arms have to be made subject to the same restrictions as foreign dealings with traditional arms.”

Email requests from CorpWatch to Fischer, Mayencourt and Rumscheidt, for comments on the Wikileaks documents were not returned by press time.

However, the company has responded to previous queries about sales to Turkmenistan. “The nature of our business does not allow us to disclose our customers, nor how they use our products and the results that are achieved with them,” Gamma International’s Munich-based managing director, Martin Muench, told EurasiaNet.org by email last August. Gamma “complies with the national export regulations of the UK, United States and Germany and has never sold its products to any states that are restricted.”

http://www.corpwatch.org/article.php?id=15867

Offline mayya

  • Administrator
  • *****
  • Posts: 7874
Re: Turkmenistan and Oman Negotiated to Buy Spy Software: Wikileaks
« Reply #1 on: September 05, 2013, 00:32:54 AM »

From Bahrain With Love: FinFisher’s Spy Kit Exposed?

July 25, 2012


Introduction


The FinFisher Suite is described by its distributors, Gamma International UK Ltd., as “Governmental IT Intrusion and Remote Monitoring Solutions.” 1 The toolset first gained notoriety after it was revealed that the Egyptian Government’s state security apparatus had been involved in negotiations with Gamma International UK Ltd. over the purchase of the software. Promotional materials have been leaked that describe the tools as providing a wide range of intrusion and monitoring capabilities.2 Despite this, however, the toolset itself has not been publicly analyzed.

This post contains analysis of several pieces of malware obtained by Vernon Silver of Bloomberg News that were sent to Bahraini pro-democracy activists in April and May of this year. The purpose of this work is identification and classification of the malware to better understand the actors behind the attacks and the risk to victims. In order to accomplish this, we undertook several different approaches during the investigation.

As well as directly examining the samples through static and dynamic analysis, we infected a virtual machine (VM) with the malware. We monitored the filesystem, network, and running operating system of the infected VM.

This analysis suggests the use of “Finspy”, part of the commercial intrusion kit, Finfisher, distributed by Gamma International.

Delivery

This section describes how the malware was delivered to potential victims using e-mails with malicious attachments.

In early May, we were alerted that Bahraini activists were targeted with apparently malicious e-mails. The emails ostensibly pertained to the ongoing turmoil in Bahrain, and encouraged recipients to open a series of suspicious attachments. The screenshot below is indicative of typical message content:



 

The attachments to the e-mails we have been able to analyze were typically .rar files, which we found to contain malware. Note that the apparent sender has an e-mail address that indicates that it was being sent by “Melissa Chan,” who is a real correspondent for Aljazeera English.  We suspect that the e-mail address is not her real address.3  The following samples were examined:
324783fbc33ec117f971cca77ef7ceaf7ce229a74edd6e2b3bd0effd9ed10dcc الفعاليات.rar
 c5b39d98c85b21f8ac1bedd91f0b6510ea255411cf19c726545c1d0a23035914 _gpj.ArrestedXSuspects.rar
 c5b37bb3620d4e7635c261e5810d628fc50e4ab06b843d78105a12cfbbea40d7 KingXhamadXonXofficialXvisitXtoX.rar
 80fb86e265d44fbabac942f7b26c973944d2ace8a8268c094c3527b83169b3cc MeetingXAgenda.rar
 f846301e7f190ee3bb2d3821971cc2456617edc2060b07729415c45633a5a751 Rajab.rar

These contained executables masquerading as picture files or documents:
49000fc53412bfda157417e2335410cf69ac26b66b0818a3be7eff589669d040 dialoge.exe
 cc3b65a0f559fa5e6bf4e60eef3bffe8d568a93dbb850f78bdd3560f38218b5c gpj.1bajaR.exe
 39b325bd19e0fe6e3e0fca355c2afddfe19cdd14ebda7a5fc96491fc66e0faba gpj.1egami.exe
 e48bfeab2aca1741e6da62f8b8fc9e39078db574881691a464effe797222e632 gpj.bajaR.exe
 2ec6814e4bad0cb03db6e241aabdc5e59661fb580bd870bdb50a39f1748b1d14 gpj.stcepsuS detserrA.exe
 c29052dc6ee8257ec6c74618b6175abd6eb4400412c99ff34763ff6e20bab864 News about the existence of a new dialogue between AlWefaq & Govt..doc

 

The emails generally suggested that the attachments contained political content of interest to pro-democracy activists and dissidents. In order to disguise the nature of the attachments a malicious usage of the “righttoleftoverride” (RLO) character was employed. The RLO character (U+202e in unicode) controls the positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew. The malware appears on a victim’s desktop as “exe.Rajab1.jpg” (for example), along with the default Windows icon for a picture file without thumbnail.  But, when the UTF-8 based filename is displayed in ANSI, the name is displayed as “gpj.1bajaR.exe”.  Believing that they are opening a harmless “.jpg”, victims are instead tricked into running an executable “.exe” file.4




Upon execution these files install a multi-featured trojan on the victim’s computer. This malware provides the attacker with clandestine remote access to the victim’s machine as well as comprehensive data harvesting and exfiltration capabilities.

Installation

This section describes how the malware infects the target machine.

The malware displays a picture as expected.  This differs from sample to sample.  The sample “Arrested Suspects.jpg” (“gpj.stcepsuS detserrA.exe”) displays:



 

It additionally creates a directory (which appears to vary from sample to sample):
C:\Documents and Settings\XPMUser\Local Settings\Temp\TMP51B7AFEF

 

It copies itself there (in this case the malware appears as “Arrested Suspects.jpg”) where it is renamed:
C:\Documents and Settings\XPMUser\Local Settings\Temp\TMP51B7AFEF\Arrested Suspects.jpg” => C:\Documents and Settings\XPMUser\Local Settings\Temp\TMP51B7AFEF\tmpD.tmp

 

Then it drops the following files:
C:\DOCUME~1\%USER%\LOCALS~1\Temp\delete.bat
 C:\DOCUME~1\%USER%\LOCALS~1\Temp\driverw.sys

 

It creates the folder (the name of which varies from host to host):
C:\Documents and Settings\%USER%\Application Data\Microsoft\Installer\{5DA45CC9-D840-47CC-9F86-FD2E9A718A41}

 

This process is observable on the filesystem timeline of the infected host (click image to enlarge):




“driverw.sys” is loaded and then “delete.bat” is run which deletes the original payload and itself. It then infects existing operating system processes, connects to the command and control server, and begins data harvesting and exfiltration.

Examining the memory image of a machine infected with the malware shows that a technique for infecting processes known as “process hollowing” is used. For example, the memory segment below from the “winlogon.exe” process is marked as executable and writeable:



 

Here the malware starts a new instance of a legitimate process such as “winlogon.exe” and before the process’s first thread begins, the malware de-allocates the memory containing the legitimate code and injects malicious code in its place.  Dumping and examining this memory segment reveals the following strings in the infected process:


 

Note the string:
y:\lsvn_branches\finspyv4.01\finspyv2\src\libs\libgmp\mpn-tdiv_qr.c

 

This file seems to correspond to a file in the GNU Multi-Precision arithmetic library:
http://gmplib.org:8000/gmp/file/b5ca16212198/mpn/generic/tdiv_qr.c

The process “svchost.exe” was also found to be infected in a similar manner:


 

Further examination of the memory dump also reveals the following:



 

This path appears to reference the functionality that the malware uses to modify the boot sequence to enable persistence:
y:\lsvn_branches\finspyv4.01\finspyv2\src\target\bootkit_x32driver\objfre_w2k_x86\i386\bootkit_x32driver.pdb

 

A pre-infection vs post-infection comparison of the infected VM shows that the Master Boot Record (MBR) was modified by code injected by the malware.

The strings found in memory “finspyv4.01” and “finspyv2” are particularly interesting. The FinSpy tool is part of the FinFisher intrusion and monitoring toolkit.5


Obfuscation and Evasion

This section describes how the malware is designed to resist analysis and evade identification.

The malware employs a myriad of techniques designed to evade detection and frustrate analysis. While investigation into this area is far from complete, we discuss several discovered methods as examples of the lengths taken by the developers to avoid identification.

A virtualised packer is used. This type of obfuscation is used by those that have “strong motives to prevent their malware from being analyzed”.6

This converts the native x86 instructions of the malware into another custom language chosen from one of 11 code templates.  At run-time, this is interpreted by an obfuscated interpreter customized for that particular language.  This virtualised packer was not recognised and appears to be bespoke.

Several anti-debugging techniques are used. This section of code crashes the popular debugger, OllyDbg.
.text:00401683 finit
 .text:00401686 fld ds:tbyte_40168E
 .text:0040168C jmp short locret_401698
 ———————————————————————
 .text:0040168E tbyte_40168E dt 9.2233720368547758075e18
 ———————————————————————
 .text:00401698 locret_401698:
 .text:00401698 retn

 

This float value causes OllyDbg to crash when trying to display its value. A more detailed explanation of this can be found here.

To defeat DbgBreakPoint based debuggers, the malware finds the address of DbgBreakPoint, makes the page EXECUTE_READWRITE and writes a NOP on the entry point of DbgBreakPoint.

The malware checks via PEB to detect whether or not it is being debugged, and if it is it returns a random address.

The malware calls ZwSetInformationThread with ThreadInformationClass set to 0×11, which causes the thread to be detached from the debugger.

The malware calls ZwQueryInformationProcess with ThreadInformationClass set to 0x(ProcessDebugPort) and 0x1e (ProcessDebugObjectHandle) to detect the presence of a debugger. If a debugger is detected it jumps to a random address. ZwQueryInformationProcess is also called to check the DEP status on the current process, and it disables it if it’s found to be enabled.

The malware deploys a granular solution for Antivirus software, tailored to the AV present on the infected machine.  The malware calls ZwQuerySystemInformation to get ProcessInformation and ModuleInformation. The malware then walks the list of processes and modules looking for installed AV software. Our analysis indicates that the malware appears to have different code to Open/Create process and inject for each AV solution.  For some Anti-Virus software this even appears to be version dependent. The function “ZwQuerySystemInformation” is also hooked by the malware, a technique frequently used to allow process hiding:


 
Data Harvesting and Encryption

This section describes how the malware collects and encrypts data from the infected machine.

Our analysis showed that the malware collects a wide range of data from an infected victim.  The data is stored locally in a hidden directory, and is disguised with encryption prior to exfiltration.  On the reference victim host, the directory was:

“C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127}.”

We conducted forensic examination of the files created in this directory and identified a wide range of data collected.  Files in this directory were found to be screenshots, keylogger data, audio from Skype calls, passwords and more.   For the sake of brevity we include a limited set of examples here.

The malware attempts to locate the configuration and password store files for a variety browsers and chat clients as seen below (click image to enlarge):



 

We observed the creation of the file “t111o00000000.dat” in the data harvesting directory, as shown in the filesystem timeline below:
Thu Jun 14 2012 12:31:34 52719 mac. r/rr-xr-xr-x 0 0 26395-128-5 C:/WINDOWS/Installer/{49FD463C-18F1-63C4-8F12-49F518F127}/09e493e2-05f9-4899-b661-c52f3554c644
Thu Jun 14 2012 12:32:18 285691 …b r/rrwxrwxrwx 0 0 26397-128-4 C:/WINDOWS/Installer/{49FD463C-18F1-63C4-8F12-49F518F127}/t111o00000000.dat
Thu Jun 14 2012 12:55:12 285691 mac. r/rrwxrwxrwx 0 0 26397-128-4 C:/WINDOWS/Installer/{49FD463C-18F1-63C4-8F12-49F518F127}/t111o00000000.dat
 4096 ..c. -/rr-xr-xr-x 0 0 26447-128-4

 

The infected process “winlogon.exe” was observed writing this file via Process Monitor (click image to enlarge):


 

Examination of this file reveals that it is a screenshot of the desktop (click image to enlarge):


 

Many other modules providing specific exfiltration capabilities were observed.  Generally, the exfiltration modules write files to disk using the following naming convention: XXY1TTTTTTTT.dat.  XX is a two-digit hexadecimal module number, Y is a single-digit hexadecimal submodule number, and TTTTTTTT is a hexadecimal representation of a unix timestamp (less 1.3 billion) associated with the file creation time.

Encryption


The malware uses encryption in an attempt to disguise harvested data in the .dat files intended for exfiltration. Data written to the files is encrypted using AES-256-CBC (with no padding). The 32-byte key consists of 8 readings from memory address 0x7ffe0014: a special address in Windows that contains the low-order-4-bytes of the number of hundred-nanoseconds since 1 January 1601. The IV consists of 4 additional readings.

The AES key structure is highly predictable, as the quantum for updating the system clock (HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\LastClockRate) is set to 0x2625A hundred-nanoseconds by default, and the clock readings that comprise the key and IV are taken in a tight loop:

 0x406EA4: 8D45C0 LEA EAX,[EBP-0x40]
 0x406EA7: 50 PUSH EAX
0x406EA8: FF150C10AF01 CALL DWORD PTR [0x1AF100C]
 0x406EAE: 8B4DE8 MOV ECX,DWORD PTR [EBP-0x18]
0x406EB1: 8B45C0 MOV EAX,DWORD PTR [EBP-0x40]
 0x406EB4: 8345E804 ADD DWORD PTR [EBP-0x18],0×4
 0x406EB8: 6A01 PUSH 0×1
 0x406EBA: 89040F MOV DWORD PTR [EDI+ECX],EAX
 0x406EBD: FF152810AF01 CALL DWORD PTR [0x1AF1028]
0x406EC3: 817DE800010000 CMP DWORD PTR [EBP-0x18],0×100
 0x406ECA: 72D8 JB 0x406EA4
0x406ECC: 80277F AND BYTE PTR [EDI],0x7F
 …

 

The following AES keys were among those found to be used to encrypt records in .dat files.  The first contains the same 4 bytes repeated, whereas in the second key, the difference between all consecutive 4-byte blocks (with byte order swapped) is 0x2625A.

70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31
 bd cc 70 31 bd cc

26 e9 23 60 80 4b 26 60 da ad 28 60 34 10 2b 60 8e 72 2d 60 e8 d4 2f 60 42 37
 32 60 9c 99 34 60

 

In all, 64 clock readings are taken.  The readings are encrypted using an RSA public key found in memory (whose modulus begins with A25A944E) and written to the .dat file before any other encrypted data.  No padding is used in the encryption, yielding exactly 256 encrypted bytes.  After the encrypted timestamp values, the file contains a number of records encrypted with AES, delimited by EAE9E8FF.

In reality, these records are only partially encrypted: if the record’s length is not a multiple of 16 bytes (the AES block size), then the remainder of the bytes are written to the file unencrypted.  For example, after typing “FinSpy” on the keyboard, the keylogger module produced the following (trailing plaintext highlighted):




The predictability of the AES encryption keys allowed us to decrypt and view these partially-encrypted records in full plaintext.  The nature of the records depends on the particular module and submodule.  For example, submodule Y == 5 of the Skype exfiltration module (XX == 14), contains a csv representation of the user’s contact list:

Record # 0 Length: 243 bytes:
 ó
 @þÿ̳Ð
 @
 ¤b¯Opþ192.168.131.67JRecordingEcsv 0þ-0800UTC DST.1þ2012-07-18 18:00:21.:þ1970-01-01 00:16:00Abhwatch1

Record # 1 Length: 96 bytes:
 `USERNAME,FULLNAME,COUNTRY,AUTHORIZED,BLOCKED

Record # 2 Length: 90 bytes:
 Zecho123,Echo / Sound Test Service,,YES,NO

Record # 3 Length: 95 bytes:
 ^bhwatch2,Bahrain Watch,United States,YES,NO

 

Submodule Y == 3 records file transfers.  After a Skype file transfer concludes, the following file is created: %USERPROFILE%\Local Settings\Temp\smtXX.tmp.  This file appears to contain the sent / received file.  As soon as smtXX.tmp is finished being written to disk, a file (1431XXXXXXXX.dat) is written, roughly the same size as smtXX.tmp.  After sending a picture (of birdshot shotgun shell casings used by Bahrain’s police) to an infected Skype client, the file 1431028D41FD.dat was observed being written to disk.  Decrypting it revealed the following:
Record # 0 Length: 441 bytes:
 ¹
 @þÿ̳Ð
 @
 ¤b¯Opþ192.168.131.67Abhwatch1Bbhwatch2″CBahrain WatchIreceivedrC:\Documents and Settings\XPMUser\My Documents\gameborev3.jpgJRecording 0þ-0800UTC DST.1þ2012-07-20 12:18:21.:þ2012-07-20 12:18:21

Record # 1 Length: 78247 bytes:

[Note: Record #1 contained the contents of the .jpg file, preceded by hex A731010090051400, and followed by hex 0A0A0A0A.]

 

Additionally, submodule Y == 1 records Skype chat messages, and submodule Y == 2 records audio from all participants in a Skype call.  The call recording functionality appears to be provided by hooking DirectSoundCaptureCreate:



 
Command and Control

This section describes the communications behavior of the malware.

When we examined the malware samples we found that they connect to a server at IP address 77.69.140.194



 

WHOIS data7 reveals that this address is owned by Batelco, the principal telecommunications company of Bahrain:
inetnum: 77.69.128.0 – 77.69.159.255
 netname: ADSL
 descr: Batelco ADSL service
 country: bh

 

For a period of close to 10 minutes, traffic was observed between the infected victim and the command and control host in Bahrain.

A summary of the traffic by port and conversation size (click image to enlarge):


 

The infected VM talks to the remote host on the following five TCP ports:
22
 53
 80
 443
 4111

 

Based on observation of an infected machine we were able to determine that the majority of data is exfiltrated to the remote host via ports 443 and 4111.
192.168.131.65:1213 -> 77.69.140.194:443 1270075 bytes
 192.168.131.65:4111 -> 77.69.149.194:4111 4766223 bytes

 
Conclusions about Malware Identification

Our analysis yields indicators about the identity of the malware we have analyzed: (1) debug strings found the in memory of infected processes appear to identify the product and (2) the samples have similarities with malware that communicates with domains belonging to Gamma International.

Debug Strings found in memory

As we previously noted, infected processes were found containing strings that include “finspyv4.01” and “finspyv2” (click image to enlarge):
y:\lsvn_branches\finspyv4.01\finspyv2\src\libs\libgmp\mpn-tdiv_qr.c
 y:\lsvn_branches\finspyv4.01\finspyv2\src\libs\libgmp\mpn-mul_fft.c
 y:\lsvn_branches\finspyv4.01\finspyv2\src\target\bootkit_x32driver\objfre_w2k_x86\i386\bootkit_x32driver.pdb

 

Publicly available descriptions of the FinSpy tool collected by Privacy International among others and posted on Wikileaks8 make the a series of claims about functionality:
Bypassing of 40 regularly tested Antivirus Systems
Covert Communication with Headquarters
Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
Recording of common communication like Email, Chats and Voice-over-IP
Live Surveillance through Webcam and Microphone
Country Tracing of Target
Silent Extracting of Files from Hard-Disk
Process-based Key-logger for faster analysis
Live Remote Forensics on Target System
Advanced Filters to record only important information
Supports most common Operating Systems (Windows, Mac OSX and Linux)

 
Shared behavior with a sample that communicates with Gamma

The virtual machine used by the packer has very special sequences in order to execute the virtualised code, for example:
66 C7 07 9D 61 mov word ptr [edi], 619Dh
 C6 47 02 68 mov byte ptr [edi+2], 68h
 89 57 03 mov [edi+3], edx
 C7 47 07 68 00 00 00 mov dword ptr [edi+7], 68h
 89 47 08 mov [edi+8], eax
 C6 47 0C C3 mov byte ptr [edi+0Ch], 0C3h

 

Based on this we created a signature from the Bahrani malware, which we shared with another security researcher who identified a sample that shared similar virtualised obfuscation. That sample is:
md5: c488a8aaef0df577efdf1b501611ec20
 sha1: 5ea6ae50063da8354e8500d02d0621f643827346
 sha256: 81531ce5a248aead7cda76dd300f303dafe6f1b7a4c953ca4d7a9a27b5cd6cdf

 

The sample connects to the following domains:
tiger.gamma-international.de
 ff-demo.blogdns.org

 

The domain tiger.gamma-international.de has the following Whois information9:

Domain: gamma-international.de

Name: Martin Muench
 Organisation: Gamma International GmbH
 Address: Baierbrunner Str. 15
 PostalCode: 81379
 City: Munich
 CountryCode: DE
 Phone: +49-89-2420918-0
 Fax: +49-89-2420918-1
 Email: [email protected]
 Changed: 2011-04-04T11:24:20+02:00

 

Martin Muench is a representative of Gamma International, a company that sells “advanced technical surveillance and monitoring solutions”. One of the services they provide is FinFisher: IT Intrusion, including the FinSpy tool. This labelling indicates that the matching sample we were provided may be a demo copy a FinFisher product per the domain ff-demo.blogdns.org.

We have linked a set of novel virtualised code obfuscation techniques in our Bahraini samples to another binary that communicates with Gamma International IP addresses. Taken alongside the explicit use of the name “FinSpy” in debug strings found in infected processes, we suspect that the malware is the FinSpy remote intrusion tool. This evidence appears to be consistent with the theory that the dissidents in Bahrain who received these e-mails were targeted with the FinSpy tool, configured to exfiltrate their harvested information to servers in Bahraini IP space. If this is not the case, we invite Gamma International to explain.

 
Recommendations

The samples from email attachments have been shared with selected individuals within the security community, and we strongly urge antivirus companies and security researchers to continue where we have left off.

Be wary of opening unsolicited attachments received via email, skype or any other communications mechanism.  If you believe that you are being targeted it pays to be especially cautious when downloading files over the Internet, even from links that are purportedly sent by friends.

 
Acknowledgements

Malware analysis by Morgan Marquis-Boire and Bill Marczak. Assistance from Seth Hardy and Harry Tuttle gratefully received.

Special thanks to John Scott-Railton.

Thanks to Marcia Hofmann and the Electronic Frontier Foundation (EFF).

We would also like to acknowledge Privacy International for their continued work and graciously provided background information on Gamma International.


Footnotes


1 http://www.finfisher.com/
2 http://owni.eu/2011/12/15/finfisher-for-all-your-intrusive-surveillance-needs/#SpyFiles
3 http://blogs.aljazeera.com/profile/melissa-chan
4 This technique was used in the recent Madi malware attacks.
5 http://www.finfisher.com/
6 Unpacking Virtualised Obfuscators by Rolf Rolles – http://static.usenix.org/event/woot09/tech/full_papers/rolles.pdf
7 http://whois.domaintools.com/77.69.140.194
8 E.g. http://wikileaks.org/spyfiles/files/0/289_GAMMA-201110-FinSpy.pdf
9 http://whois.domaintools.com/gamma-international.de

https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/