The team of researchers has been tracking the spyware for over a year now and have found traces of the ‘lawful interception’ tool in as many as 25 courtiers with a total of 36 command and control servers. According to the researchers FinSpy has been changing tactics and behaviour over the last few months, since October to be precise, in a bid to evade detection.
Gamma International, the makers of the spyware, allegedly changed the FinSpy protocol to keep the activities of the spyware a secret. Following this the researchers also “devised a new fingerprint” and carried out a scan that took around two months to complete. During the course of the scan, the team sent out 12 billion packets that resulted into discovery of a total of 36 C&C servers out of which 30 were new. The new countries that showed up on the list were Bangladesh, Canada, India, Malaysia, Mexico, Serbia and Vietnam. Previous studies pinpointed the spyware in 10 countries.
Surprisingly, the researchers have revealed that many of the C&C which showed up previously haven’t been detected in the latest scan. Countries where FinSpy was found earlier have shown no signs of this spyware in the recent study – Brunei, Mongolia, Latvia and UAE. Chances are that the operators have either gone underground of the activity has been stopped; we presume the former.
Researchers have noted, “Importantly, we believe that our list of servers is incomplete due to the large diversity of ports used by FinSpy servers, as well as other efforts at concealment.”
The discovery of C&C in new countries doesn’t implicate the involvement of the local government in the country. The researchers further note, “Moreover, discovery of a FinSpy command and control server in a given country is not a sufficient indicator to conclude the use of FinFisher by that country’s law enforcement or intelligence agencies.”
“In some cases, servers were found running on facilities provided by commercial hosting providers that could have been purchased by actors from any country”, the researchers add further.
The report details new samples found in Vietnam and Ethiopia. The researchers noted that the server found in Ethiopia was in sync with those found in other countries. The sample found in Vietnam was a mobile version of the spyware – FinSpy for Android.