Tracking trojans with a built-in keylogger and critical data stealing functions are one of the oldest types of malware. For a quarter of a century, spy software has only evolved, receiving more and more anti-detection functions. At the same time, mobile devices were mastered, and varieties of Trojans designed for targeted attacks appeared. In this article we will take a look at the most famous representatives of commercial spyware and talk about protective measures.
FinFisher Tracking Trojan
A cyber-espionage software called FinFisher, aka FinSpy, was developed by the Gamma Group and is rumored to be used for political surveillance of journalists and dissidents around the world. The program was leaked to WikiLeaks by Julian Assange in 2011, after which it became the property of anonymous and was subjected to close scrutiny by information security specialists and other interested parties.
FinFisher can intercept the victim’s correspondence on social networks, track email messages, work as a keylogger, provide access to files stored on the infected machine, and record video and audio using the built-in microphone and camera. There are FinFisher builds for Windows, macOS, and Linux. In addition, mobile versions of the Trojan were created for almost all platforms existing today: Android, iOS, BlackBerry, Symbian and Windows Mobile.
The FinFisher distribution scheme is typical for Trojans: the spyware was distributed using downloaders, which were sent by e-mail under the guise of useful applications or arrived on the computer with updates to a previously installed safe program. One of the attacks investigated by the guys from ESET also used the implementation of the MITM scheme: when trying to download the necessary program, an unsuspecting victim was redirected to a phishing site, from where he downloaded the distribution package with the trojan. In the example ESET reviewed, FinFisher was built into the TrueCrypt distribution. The irony is that a user who wanted to protect their data and encrypt the drive for greater security, installed spyware on their own machine with their own hands.
The creators tried to make FinFisher’s work as invisible as possible and make it difficult to detect the Trojan in every possible way. Its code contains functions for protecting the application from debugging, preventing it from running in a virtual machine, preventing disassembly, and the code itself is obfuscated. In addition, the program tries to act on the infected system unnoticed and not to attract the user’s attention once again.
FinFisher Trojan Protection
Catching a FinFisher on a device manually is quite a challenge. Known samples are successfully detected and removed by popular antivirus programs, but unknown ones … It’s more difficult…
No matter how trite it may sound, a properly configured firewall is an obvious (and very effective) means of protection against this spy. During operation, FinFisher establishes a connection not only with its control server (its address can change from sample to sample), but also with several other hosts, from where its components are loaded. If you configure your firewall to paranoidly block application connections to unknown hosts, FinFisher will not work properly on such a device. Well, in order not to get the software trodden by well-wishers instead of a clean distribution, it is better to download programs via HTTPS and not be lazy to check the digital signature of the programs.
Tracking Trojan Adwind
This cross-platform program, which can be classified as remote control systems (RCS, Remote Control Systems) or RAT (Remote Access Tool), became known in 2016, and was revealed even earlier – in 2013. This Trojan is known by various names: Sockrat, JSocket, jRat, Unrecom, Frutas, and AlienSpy. In fact, all of this is a rehash of the same melody.
various names: Sockrat, JSocket, jRat, Unrecom, Frutas, and AlienSpy. In fact, all of this is a rehash of the same melody.
Since Adwind is written in Java, it targets almost all platforms that support it: Windows, Linux, macOS, and of course Android. The popularity of Adwind among anonymous users is primarily due to the fact that for a long time the Trojan was distributed according to the SAAS (Software as a Service) scheme, that is, by subscription. The developers had their own online store, technical support service and even an advertising channel with vidos on
PornHub YouTube. The price tag was quite democratic: from 20 to 300 evergreen American dollars, depending on the chosen service package. The second reason is the relative ease of getting a working, scripted binary that will not be fired by antivirus software – at least until someone uploads it to VirusTotal.
The main purpose of the Trojan is to provide well-wishers with unauthorized access to a compromised machine. In addition, it can take screenshots, capture keystrokes, steal saved passwords and form data from browsers, and play with the camera and microphone.
The main distribution channel of a spy is e-mail flavored with social engineering. Potential victims of the attack were sent letters either with a downloader in the .JAR format in the attachment, or containing HTML code with inserts in VBScript and JScript, which secretly pulled the JRE and the trojan dropper onto the machine. Analysts from Kaspersky Lab have also documented cases of Adwind being distributed using RTF documents containing an exploit for the CVE-2012-0158 vulnerability.
Adwind Trojan Protection
To protect yourself from the Adwind Trojan, you can disable Java on your computer or demolish the Java Runtime – without waiting, as they say, for peritonitis. And, of course, don’t run a competition to open attachments quickly in emails received from suspicious senders. If you really need Java, another primitive but effective method of protection against Adwind is to change the .JAR file association from JRE to, say, notepad.exe.
DroidJack tracking Trojan
This is the name of what is probably the most popular commercial Android remote control Trojan based on the Sandroid app. This tool has two components: the client and the server. One is installed on a smartphone or tablet as an APK file, the second is implemented as a regular Windows application that allows you to control the device. A lifetime license for this software costs $ 210.
DroidJack allows you to transfer the current GPS coordinates of the device, manage incoming and outgoing calls, record phone conversations, read and send SMS, messages in WhatsApp, view browser history, list of running applications, copy contacts, receive images from the built-in camera, control volume and much more …
Obviously, for DroidJack to work, you first need to install the app on your device. This can be done either by physically taking possession of it, or by somehow forcing the user to install the program on his own. Most of the currently known DroidJack samples lack any covert installation mechanisms.
The Trojan is freely sold, but the price is not particularly democratic. That is why good developers have developed cheaper analogs of this program – among them, for example, OmniRAT can be noted, which can boast almost the same set of functions, but four times cheaper.
DroidJack Trojan Protection
The first thing the user should pay attention to is that both DroidJack and OmniRAT require a large number of permissions during installation. If you are trying to install a flashlight on your smartphone, it is reasonable to think about why it needs access to sending SMS and address book.
Secondly, even though the spy removes its icon from the list of applications, the running program can still be seen in the list of running processes.
Pegasus Tracking Trojan
Pegasus is, as you know, a horse with wings. For Android and iOS, Pegasus is a Trojan horse, one of the most famous varieties of commercial mobile spyware.
Curiously, Pegasus can be installed on Apple mobile devices that have not been jailbroken. Several known targeted attacks attempted to deliver Pegasus to the iPhone using SMS messages containing a malicious link. The Trojan uses vulnerabilities to install it on the system, although for outdated versions of iOS (up to 9.3.5). However, no one knows for sure what the more modern editions of Pegasus are capable of, whose developers (and the Israeli company NSO Group is suspected of creating a spy) are still in good health.
The Trojan consists of several functional modules that are loaded onto the infected device as needed. The set of functions in Pegasus is generally standard for such spyware: keylogging, taking screenshots, reading SMS and email correspondence, copying browser history, listening to phone calls, and so on.
The Pegasus Trojan tries to behave as stealthily as possible and not manifest itself on a compromised device. If she discovers that another SIM card is inserted into the phone, or fails to reach the control server within 60 days, the program will self-destruct. All this testifies to the fact that Pegasus is geared towards targeted attacks, it is not a “weapon of mass destruction”.
The well-known Pegasus samples for Android do not use vulnerabilities, but to obtain administrator privileges (without which they will not be able to steal anything from the device except the name of its model), they use the traditional tactics – they get the user with annoying alerts until he agrees to press the coveted button.
Pegasus Trojan Protection
There are several methods of protection against Pegasus: for iPhone and iPad owners – to update the system in time, for Android users – not to grant administrative privileges to left applications, even if they really ask for it.
Commercial Trojans have been and will continue to be on user systems. Just because demand, as one smart guy named John Maynard Keynes said, creates supply.
Antiviruses, as we have already found out, are not a panacea, so to protect against Trojans for surveillance, you should use the most powerful analytical tool available today – the brain.
Check the installed programs with antivirus utilities, keep track of which network addresses they knock on during operation, observe what processes are launched in the system, do not forget to update the OS in time, disable unnecessary components like Java Runtime and roll out all the latest security patches.