A report last week from human rights advocates Amnesty International brought to light a macOS variant of a cross-platform spyware suite known as FinSpy, developed and marketed by German-based outfit FinFisher. The FinSpy tool was written with multiple capabilities in mind, with everything from keylogger, audio recording, camera and screenshot tools to a remote access shell, file enumeration and exfiltration functions. In this post, we look at how to detect the macOS variant and list some previously unpublished IoCs.
What is FinFisher Spyware?
According to FinFisher’s own website and marketing material, the company produces tools for “tactical intelligence gathering”, “strategic intelligence gathering”, and “deployment methods and exploitation”. The company states that it only partners with “Law Enforcement and Intelligence Agencies” and has a “worldwide presence”.
Amnesty International and other civil rights organizations (e.g., the Citizen Lab), however, have noted FinSpy being used in campaigns targeting “activists, journalists and dissidents” in Egypt, Ethiopia, and the United Arab Emirates (UAE) among others. What ties these various campaigns together, aside from the use of FinFisher products, is that the targets are very frequently “human rights defenders”.
Although elements of the toolkit targeting macOS users have been known for some while to malware researchers, and some components of the macOS suite do not appear to be functional on the latest iterations of Apple’s desktop platform, our tests confirmed the malware samples shared by Amnesty will still launch and infect a macOS Catalina install, and that some of the dropped malware is not well-known to reputation services like VirusTotal.
How Does FinSpy for macOS Work?
In their report, Amnesty provided the following hash for this sample on VirusTotal which we used for our analysis:
Although some engines on VT have caught up with this sample, the majority still do not recognize it as malware at the time of writing, with only 12/59 detections.
As the sample is not Notarized, the user will need to be socially engineered to override the Notarization check on macOS Catalina, something that commodity malware authors at least have become very successful at achieving.
The trojan installer’s MacOS folder contains two executable files and a directory.
The Bash script,
Install Çağlayan, contains the logic for executing the malicious application bundle in the hidden
The ARA0848.app’s Mach-O executable contains logic to detect execution in a Virtual Machine environment as a means to thwart macOS malware researchers using any one of Parallels, VMWare or VirtualBox virtualization software:
Since it is always wise to reverse macOS malware in an isolated test environment, we had to alter the sample slightly in order to beat its built-in anti-analysis detection routine. In our case, we are using an isolated Parallels Virtual Machine for this lab, so some light binary patching should take care of the VM detection.
First, we copy the binary off the DMG to local disk, and then open the binary in the
Then we call the
xxd utility from
vi’s command line:
Next, we search for instances of “parallels”. Fortunately, there are only two:
We now edit the first character of each and change it from ‘parallels’ to ‘xarallels’ by substituting the hex 70 (‘p’) for 78 (‘x’). We then use
%!xxd -r to reverse the hex back to binary format and save out of
vi with the command
Launching the sample on macOS Catalina requires overriding the Notarization check (more on this below), after which we immediately observe a request from the malware to elevate privileges. After obliging, the malware immediately writes the following files to the user’s Library Caches folder:
Aside from that, the FinFisher spyware seeks to maintain persistence by writing a domain level LaunchAgent called
The program argument targets
/private/etc/logind, where we find the following
setuid, setgid file:
While the path at
/private/etc/logind) is well-known for this malware (see the next section), the executable dropped in our test is currently unknown on VirusTotal and, to our knowledge, has not been shared before:
A different file with the same name, but also apparently virtually unknown on VT, appears at
Is FinSpy A New Kind of Fully Undetectable Malware?
Malware authors and resellers are always keen to paint their products as ‘undetectable’ or ‘fully undetectable’ (FUD) to attract customers, and we are sure those who market tools to “Law Enforcement and Intelligence Agencies” are just as concerned to make the same claims. If you’re in the market for buying malware, particularly spyware, then being undetectable is pretty much the first feature on your shopping list.
Despite such claims, very little malware is truly “fully undetectable”, simply because it needs to behave in certain, predictable ways in order to fulfil its objectives (for example, log keystrokes, communicate with a C2 and so on), and in this regard FinSpy is no different.
In fact, elements of FinSpy have been known to security researchers and static search engines for some time. In particular, a user path used by FinFisher for the persistence agent:
has been known since at least 2017. Other path elements can be seen added to Apple’s MRT.app in stages over recent months, with new detection paths added in v1.52 and v1.64:
Despite that, even the current MRT.app, v1.66, still doesn’t search for the LaunchAgent at the domain level.
More importantly, however, is that MRT.app’s detections don’t prevent Mac users from becoming victims of FinSpy. Apple’s MRT.app is a post-infection tool that runs at periodic intervals: primarily, when the user boots the Mac or logs in to a user account, as well as when the tool is silently updated by Apple in the background.
In order to actually try and prevent launch and execution of malicious code, Apple uses a number of different technologies: namely, Gatekeeper, Notarization and XProtect. While useful, the first two suffer from the weakness that they are overridable by the user, meaning that the malware can be installed either by socially engineering the victim or by a malicious user with temporary access to the victim’s computer.
On macOS 10.15 Catalina, XProtect has become far more robust and resistant to user bypassing, but XProtect is only as useful as the signatures it contains. Since in our test we were able to execute both the FinSpy trojan installer and the hidden malicious application bundle it includes on a macOS Catalina 10.15.7 installation, we surmise that XProtect has yet to catch up with the latest FinSpy samples.
Does SentinelOne Protect Against FinSpy / FinFisher Malware?
Our test of the above samples shows that the SentinelOne agent correctly detects and blocks FinFisher/ FinSpy for macOS malware.
The SentinelOne management console Process Tree accurately maps the execution of malicious processes, correctly convicting those that belong to the malware (in red):
FinFisher’s FinSpy malware for macOS is a commercially produced and distributed product aimed at infecting Mac users for the purposes of spying, stealing data and remotely controlling the target machine. While we pass no judgement on whether this spyware is being ‘legitimately’ used by law enforcement or intelligence agencies around the world, we remain committed to ensuring that SentinelOne customers are fully protected from infection by this or any other unauthorized software on their endpoints. If you would like to see how SentinelOne can help protect your business, contact us today or request a free demo. For more insight into macOS malware threats, see here.
Indicators of Compromise
/Volumes/caglayan-macos/Install Çağlayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (Mach-O)
~/Library/Caches/org.logind.ctp.archive/helper2 (Python Script)