ESET Whitepaper

ESET's guide to deobfuscating and devirtualizing FinFisher

Thanks to its strong anti-analysis measures, the FinFisher spyware has gone largely unexplored. Despite being a prominent surveillance tool, only partial analyses have been published on its more recent samples.

Things were put in motion in the summer of 2017 with ESET’s analysis of FinFisher surveillance campaigns that ESET had discovered in several countries. In the course of our research, we have identified campaigns where internet service providers most probably played the key role in compromising the victims with FinFisher.

When we started thoroughly analyzing this malware, the main part of our effort was overcoming FinFisher’s anti-analysis measures in its Windows versions. The combination of advanced obfuscation techniques and proprietary virtualization makes FinFisher very hard to de-cloak.

To share what we learned in de-cloaking this malware, we have created this guide to help others take a peek inside FinFisher and analyze it.

Apart from offering practical insight into analyzing FinFisher’s virtual machine, the guide can also help readers to understand virtual machine protection in general.

Hopefully, experts from security researchers to malware analysts will make use of this whitepaper to better understand FinFisher’s tools and tactics, and to protect their customers against this omnipotent security and privacy threat

To read the whitepaper, please enter your details in the form.

Request Your Newsletter