Amnesty International revealed the existence of Linux and macOS variants of FinSpy, a commercially available spy suite used extensively by threat actors, as well as law enforcement agencies and government from around the world.
Criminals are not responsible for all spyware, and FinSpy is just one example of a commercial solution aiming at fulfilling the same tasks. The only difference is that governments are the usual clients. Unfortunately, these tools sometimes fall into the wrong hands and can be used aggressively by hackers or state actors looking to crack down on the opposition.
FinFisherGmbh has been making the software for more than a decade, and Amnesty International has been tracking its use worldwide. In a recent investigation, they found a group named NilePhish was going after Egyptian human rights defenders and media and civil society organizations staff using this software.
The software was disguised as a Flash player update, used as a dropper for the FinSpy installer. The application can intercept encrypted communication and data, install other software on target computers or mobile devices, and much more. Now, new versions designed for Linux and macOS have appeared online, but research shows a different group is likely behind it.
“In the fall of 2019, while investigating recent versions of FinSpy following the discovery of its use by NilePhish, we identified additional FinSpy samples through the malware research platform VirusTotal hosted at a server located at the IP address 158.69.105[.]207,” says Amnesty International. “We believe this server has no relation to NilePhish and belongs to a different FinSpy operator.”
A few indicators of compromise derived from the Amnesty International investigation are available as well, for all the platforms the application runs on. A good security solution would not differentiate between regular malware and commercial versions.