FinFisher/FinSpy seen in targeted emails (July 31, 2012)


Dell SonicWALL Threats Research team received reports of a spying tool being sent as an attachment in spear phishing emails targeting activists. This spying tool called FinFisher/FinSpy has been linked to being covertly used by various governments for surveillance within and across their borders. The tool behaves like a Trojan and uses various stealth techniques to evade detection. It harvests user data and attempts to upload the encrypted data to a remote server.

The executable in the email attachment uses the following misleading icons:

The FinSpy tool when executed performs the following activities:

  • It creates the following files:
    • %appdata%MicrosoftInstallermssounddx.sys [Detected as GAV: FinSpy.A_3 (Trojan)]]
    • %appdata%MicrosoftInstallershellex32.dll [Detected as GAV: FinSpy.A_4 (Trojan)]]
    • %appdata%MicrosoftInstaller{8171412B-B34C-4183-A4BB-057CEA02F7FB}80C.dat (Harvested data)]
    • %appdata%MicrosoftInstaller{8171412B-B34C-4183-A4BB-057CEA02F7FB}(02-21)C.dat (Harvested data)]
    • %appdata%MicrosoftInstaller{8171412B-B34C-4183-A4BB-057CEA02F7FB}ico_ty23.ico (Harvested data)]
    • %temp%delete.bat (Bat executable with commands to delete itself)
  • It creates the following registry key to ensure infection on reboot:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmssounddx:”%appdata%MicrosoftInstallermssounddx.sys”
  • It hooks the following API in ntdll.dll:
    • CsrClientCallServer
  • It starts iexplorer.exe and injects code in to it
  • It attempts to contact the following remote servers: (These sub-domains no longer resolve)
  • It attempts to send encrypted data over TCP ports 22, 3111, 3112 and 3113:


  • It attempts to disguise itself as Mozilla Firefox as seen from the resource section:


Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: FinSpy.A (Trojan)
  • GAV: FinSpy.A_2 (Trojan)
  • GAV: FinSpy.A_3 (Trojan)
  • GAV: FinSpy.A_4 (Trojan)
  • IPS: FinFisher Server Trafffic
  • IPS: FinFisher Client Connection Attempt
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.