In 2012, Rapid7 researchers discovered a number of C&C servers around the world that responded being contacted by the malware, but it was impossible to tell if they belonged to governments.
Toronto-based Citizen Lab's latest report shows that the number of counties in which active FinFisher C&C servers are located has jumped to 36, and includes Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Turkey, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam.
The report also revealed that the spying software is being distributed to Malay language speakers under the guise of the popular Mozilla Firefox web browser.
Here is how the details of the malicious file (left) look compared to the legitimate firefox.exe file (right) (click on the screenshot to enlarge it):
"This is not the first time that a FinSpy sample has used the “Mozilla Firefox” product name to masquerade as legitimate software. Samples from the FinSpy campaign targeting Bahraini activists last year used an assembly manifest that impersonated Mozilla’s Firefox browser," the researchers noted.
Following this revelation Mozilla has sent Gamma a cease and desist letter demanding that they stop with these illegal practices, and misusing Mozilla's brand, trademarks and public trust.
"Mozilla has a longstanding history of protecting users online and was named the Most Trusted Internet Company for Privacy in 2012 by the Ponemon Institute. We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy," they stated.
Privacy International has recently been trying to discover under which conditions Gamma International has been allowed to export FinFisher, but they haven't had much luck with it, Citizen Lab researchers pointed out.
I recommend reading the entire report as it really goes in great detail about how the spyware works. You can download it here.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.