Home
%3CLINGO-SUB%20id%3D%22lingo-sub-167068%22%20slang%3D%22en-US%22%3EAnalysis%20of%20FinFisher%20malware%20used%20by%20NEODYMIUM%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167068%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20700px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F29511i9931D08B6FEB9FAF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22fig3-FinFisher-stages.png%22%20title%3D%22fig3-FinFisher-stages.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOffice%20365%20Advanced%20Threat%20Protection%20(%3CA%20href%3D%22https%3A%2F%2Fproducts.office.com%2Fen-us%2Fexchange%2Fonline-email-threat-protection%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EOffice%20365%20ATP%3C%2FA%3E)%20blocked%20many%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fmicrosoftsecure%2F2017%2F11%2F21%2Foffice-365-advanced-threat-protection-defense-for-corporate-networks-against-recent-office-exploit-attacks%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Enotable%20zero-day%20exploits%3C%2FA%3E%20in%202017.%20In%20our%20analysis%2C%20one%20activity%20group%20stood%20out%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fmmpc%2F2016%2F12%2F14%2Ftwin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENEODYMIUM%3C%2FA%3E.%20This%20threat%20actor%20is%20remarkable%20for%20two%20reasons%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIts%20access%20to%20sophisticated%20zero-day%20exploits%20for%20Microsoft%20and%20Adobe%20software%3C%2FLI%3E%0A%3CLI%3EIts%20use%20of%20an%20advanced%20piece%20of%20government-grade%20surveillance%20spyware%20FinFisher%2C%20also%20known%20as%20FinSpy%20and%20detected%20by%20Microsoft%20security%20products%20as%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwdsi%2Fthreats%2Fmalware-encyclopedia-description%3FName%3DBackdoor%3AWin32%2FWingbird.A!dha%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWingbird%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFinFisher%20is%20such%20a%20complex%20piece%20of%20malware%20that%2C%20like%20other%20researchers%2C%20we%20had%20to%20devise%20special%20methods%20to%20crack%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20title%3D%22Blog%3A%20FinFisher%20exposed%3A%20A%20researcher%E2%80%99s%20tale%20of%20defeating%20traps%2C%20tricks%2C%20and%20complex%20virtual%20machines%22%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fmicrosoftsecure%2F2018%2F03%2F01%2Ffinfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ERead%20the%20rest%20of%20the%20post%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

fig3-FinFisher-stages.png

 

Office 365 Advanced Threat Protection (Office 365 ATP) blocked many notable zero-day exploits in 2017. In our analysis, one activity group stood out: NEODYMIUM. This threat actor is remarkable for two reasons:

  • Its access to sophisticated zero-day exploits for Microsoft and Adobe software
  • Its use of an advanced piece of government-grade surveillance spyware FinFisher, also known as FinSpy and detected by Microsoft security products as Wingbird

FinFisher is such a complex piece of malware that, like other researchers, we had to devise special methods to crack it.

 

Read the rest of the post