Traps Spies FINSPY With Its Eye … and Prevents It

Eila Shargh


FINSPY (a.k.a. FinFisher), a highly criticized spyware, has been observed being deployed following the exploit of a newly discovered, recently patched vulnerability (CVE-2017-8759).

How Does It Work?

Attackers employ social engineering, using spear phishing in a highly targeted attack, to convince victims to open an email and then a malicious document that takes advantage of CVE-2017-8759, a remote code execution vulnerability targeting Windows and Microsoft .NET Framework.

The malicious document contains embedded SOAP monikers to facilitate the attack. The malicious document’s payload retrieves the malicious SOAP WSDL definition from an attacker-controlled server. The WSDL parser parses the content and generates source code in the working directory, which is then compiled into a DLL and loaded by Microsoft Office, ultimately disabling the Microsoft Office Protected View mode.

Following the successful exploitation of the vulnerability, the malicious code uses mshta.exe to download an HTA script from the attacker’s server. The script contains PowerShell commands that remove the previously generated code and files, and then download and execute FINSPY, a known commercial-grade surveillance malware.

How Do You Stop It?

Palo Alto Networks Traps advanced endpoint protection offers multi-method malware and exploit prevention to protect against malware like FINSPY. Traps prevents script-based attacks from launching legitimate applications with highly granular controls, giving administrators the ability to whitelist or blacklist these child processes. With this capability, Traps would prevent winword.exe from running mshta.exe and launching powershell.exe.

Inclusive of its prevention techniques is local analysis via machine learning, which steps in if initial hash lookup determines a file to be unknown. Traps examine hundreds of characteristics of the file in real time to determine if the file is likely to be malicious or benign. With this technique, Traps would also be able to detect the FINSPY malware by local analysis.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS