Security researchers from ESET have discovered a malware campaign utilizing new variants of FinFisher in seven countries, which arrives bundled with a legitimate application.
Researchers assume that ISPs used their ability to control user traffic and redirect users trying to download some software to a different link offering the same software, but infected with the FinFisher spyware. Many products such as WhatsApp, Skype, Avast, WinRAR, VLC Player and others have been infected with the malware.
According to ESET:
“New surveillance campaigns utilizing FinFisher, infamous spyware known also as FinSpy and sold to governments and their agencies worldwide, are in the wild. Besides featuring technical improvements, some of these variants have been using a cunning, previously-unseen infection vector with strong indicators of major internet service provider (ISP) involvement.”
In fact, The attack begins with the user seeking for one of the modified applications (infected) on legitimate websites. After the victim clicks on the download link, their browser is served a malicious link and therefore redirected to an infected installation software hosted on the attacker’s server.
ESET said that this was the first time it saw FinFisher delivered at an ISP level.