New macOS and Linux-targeting variants of the infamous FinFisher-made spyware family FinSpy.

 

 

New macOS and Linux-targeting variants of the infamous FinFisher-made spyware family FinSpy.

 

FinFisher’s FinSpy malware for macOS is a commercially produced and distributed product aimed at infecting Mac users for spying, stealing data, and remotely controlling the target machine. FinSpy is produced by Munich- based company FinFisher Gmbh and sold to law enforcement and government agencies around the world.
Based on the publicly available information, FinSpy used to target HRDs and civil society in many countries, including Bahrain, Turkey, and Ethiopia and tied to the attacker group commonly known as NilePhish. likely to be state-sponsored. The FinSpy tool was written with multiple capabilities in mind, with everything from keylogger, audio recording, camera and screenshot tools to a remote access shell, file enumeration, and exfiltration functions.

Indicators of Compromise



Domain

flash.browserupdate.download
current.browserupdate.download
files.browserupdate.download
browserupdate.download 

IP

172.241.27.171
5.135.174.213
158.69.105.207
207.244.95.223
45.11.19.235
185.125.230.203


File Hash

 1e9162cd0941557304a6a097dfaadf59f90bc8bbaa9879afe67b5ce0d1514be8   
854774a198db490a1ae9f06d5da5fe6a1f683bf3d7186e56776516f982d41ad3   
bb8c0e477512adab1db26eb77fe10dadbc5dcbf8e94569061c7199ca4626a420   
80d6e71c54fb3d4a904637e4d56e108a8255036cbb4760493b142889e47b951f   
f960144126748b971386731d35e41288336ad72a9da0c6b942287f397d57c600   
fab6b3bbc14c80049f95b040680fba6d1b47f07746729d04c887a55272084648   
8f216d2f0be2c4a5c07abf45cf138453f72f00ec598327756c6fc9d5f4dabe0d   
4f3003dd2ed8dcb68133f95c14e28b168bd0f52e5ae9842f528d3f7866495cea   
bd1b8bc046dbf19f8c9bbf9398fdbc47c777e1d9e6d9ff1787ada05ed75c1b12   
9f04439bc94f2eef76b72ac2e0aeece0d4f46b6c42ef179fc860f6b5876f5f50   
928aefbcac9386c953b3491230a719ff65b21612eb6bd9b32501de149cacbc92   
14658327efaa15275fb8718956ee97ebcad5bc80312a4f3182a3b10cd3dcf257
02e4d0e23391bbbb75c47f5db44d119176803da74b1c170250e848de51632ae9
562c420921f5146273b513d17b9f470a99bd676e574c155376c3eb19c37baa09
1cf36a2d8a2206cb4758dcdbd0274f21e6f437079ea39772e821a32a76271d46
651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673
af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0
6ab836d19bc4b69dfe733beef295809e15ace232be0740bc326f58f9d31d8197
ac414a14464bf38a59b8acdfcdf1c76451c2d79da0b3f2e53c07ed1c94aeddcd
2584f1119c65ffd0936e2916b285389404b942c9
62e5dc40bfabaa712cd9e32ac755384db07f0dab
d3dab40d51e1b4ff332b6be1c993c916c3d58481
72cb14bc737a9d77c040affa60521686ffa80b84
9a0ede8fad59e7252502881554be0c21972238c9
427a1c1daf9030069f0c771ce172c104513a7722
a65965b960b3d322bbae467f51bf215d574b00cc

Comments

Post a Comment

Popular posts from this blog

Revil Ransomware Targeted Kaseya

Image
  Revil Ransomware Targeted Kaseya   REvil is a ransomware-as-a-service (RaaS), delivered by “affiliate” actor groups who are paid by the ransomware’s developers. The REvil actors launched a malicious update package that targeted customers of managed service providers and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform.   Indicators of Compromise URLs/Domains: architekturbuero-wagner.net mindpackstudios.com vitavia.lt bouncingbonanza.com lukeshepley.wordpress.com igfap.com bockamp.com levihotelspa.fi exenberger.at tinyagency.com familypark40.com alfa-stroy72.com boompinoy.com mdacares.com architecturalfiberglass.org slupetzky.at sinal.org qualitus.com deepsouthclothingcompany.com groupe-frayssinet.fr synlab.lt kamienny-dywan24.pl ilcdover.com humancondition.co...
Read more

BANDOOK(RAT)

Image
    BANDOOK(RAT)-Malware   The payload in this attack is a variant of an old full-featured RAT named Bandook. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT that was developed by a Lebanese individual nicknamed PrinceAli.Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server sends basic information about the infected machine and waits for additional commands from the server. Indicators of Compromise File Hash MD5 27f8d8bbbeeda5fc439ee18d9d4da343 44584c8d010242fddb44afe5ce860872 a6501c62b3a6ffa8d028a88138fe509f 7c15ee5b9a12dacaace8fb62271f12f1 4e9e12c98cfbc5f3aa3c1345bd063fa0 7ef261c151519e66ec369c63e4b1aed4 6effed1b1bb5e9ed6aafacb075c1d4e2 0475771b8bc3efc28b1834f3add608f3 045ce6679ed4086e2ded58470e24c15a 28ad9ace11919b57bf54...
Read more

Buer Loader provides malware-as-a-service

Image
  Buer Loader provides malware-as-a-service       Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader. “A new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). Indicators of Compromise File Hashes 10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1 32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5 5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4   6c7f43434e5db8703c0a47dedeeab976159d8704bfb...
Read more