Egypt Sill Using FinFisher Spyware to Track Journalists, Civil Society Groups

A spyware tool developed by a British-German company that can infiltrate computer operating systems, record every key stroke, intercept calls and siphon away data is being still being used by Egypt to target journalists and activists, many years after it was first identified, according to a new report from Amnesty International.

FinSpy, also known as FinFisher, is sold as a “lawful interception” device by a British-German company. Since it first came to public attention during the Arab Spring, FinFisher has been connected with a number of authoritarian and other governments around the world, which use it to spy on citizens and civil society groups.

In 2014, a hacktivist or hacktivst group going by the name Phineas Phisher released the FinFisher source code, pricing information and client list online. Now previously undisclosed versions of FinSpy spyware designed to target Linux and macOS systems have been discovered in a country that is still a FinFisher customer despite being one of the most dangerous environments for journalists.

The assault on Egypt’s journalists and those accused of opposing the government has been stepped up during the COVID-19 pandemic under the guise of public safety.

FinSpy targets desktop and mobile operating systems, including Android, iOS, and Windows to secretly turn on their webcams and microphones. It does not appear to be linked to NilePhish, a hacking group known for attacking Egyptian NGOs in a series of incursions involving an older version of FinSpy, phishing techniques, and malicious Flash Player downloads, said Amnesty's report.

The new FinSpy techniques are believed to have been in use by a new unidentified hacking group, which they believe is state-sponsored and active since September 2019.

Malware samples uploaded on VirusTotal were discovered as part of an ongoing effort by Amnesty to track and monitor NilePhish's activities.

The new binaries are obfuscated and stop malicious activities when run on a virtual machine in order to make it challenging for experts to analyze the malware.

Even if a targeted smartphone isn't rooted, the spyware attempts to gain root access using previously disclosed exploits. "The modules available in the Linux sample are almost identical to the MacOS sample," the researchers said.

"The modules are encrypted with the AES algorithm and compressed with the aplib compression library. The AES key is stored in the binary, but the IV is stored in each configuration file along with a MD5 hash of the final decompressed file,” they added.

Researchers also provided indicators of compromise (IoC) to help researchers further investigate these attacks and users check whether their machines were compromised.

Kaspersky researchers last year uncovered a campaign where FinSpy implants were spying on users from Myanmar, the Russian cyber defense company finding the notorious FinSpy can track nearly interaction on a mobile phone.

That includes encrypted apps such as Telegram, Facebook’s WhatsApp, Skype, Signal, and BlackBerry Messenger, making them discoverable and giving criminals and governments a powerful tool to track users’ texts and phone calls.

“The developers behind FinSpy constantly monitor security updates for mobile platforms and tend to quickly change their malicious programs to avoid their operation being blocked by fixes,” Alexey Firsh, a security researcher at Kaspersky told Cyberscoop last year.

Amnesty, which in March, 2019 described phishing attacks against Egyptian human rights defenders and media and civil society groups, said it has stepped up looking into the country's use of FinSpy.

It said the spyware is being used also in Bahrain, Ethiopia and he United Arab Emirates.