h-Online: Citizenlab has released a detailed analysis of the activities of a trojan in which the experts conclude that the malware is most likely closely related to FinFisher, a commercial spyware tool developed by a company called Gamma International. The trojan targeted political activists in Bahrain and included sender names such as that of an Al Jazeera correspondent and subject lines like “Torture reports on Rabil Najaab”.
The attached .exe file, disguised as an image, disabled anti-virus software and installed a complete set of spyware programs on the recipient’s PC. The spyware proceeded to monitor, among other things, the victim’s Skype communications including conversations and file transfers. An analysis of the infected systems’ working memory repeatedly produced the “finspy” character string. This name is used by Gamma to advertise FinFisher modules.
The trojan even displayed images while launching its background activities
The researchers say that the malware used a very special .exe packer whose signature was also recognised in another malware sample that is thought to be a demo version of the trojan. The malware communicated with servers such as tiger.gamma-international.de, whose domain is registered with Gamma International GmbH in Germany. Although the producers of FinFisher, Gamma International Ltd, officially operate from the UK, there is significant evidence that the software is being developed in Germany. The FinFisher surveillance tool has repeatedly attracted attention in connection with the monitoring of political activists by government agencies. Gamma International recently received a Big Brother Award for its activities.