Security News > 2020 > September > New FinSpy Spyware Variants Identified, Dissected
Human rights organization Amnesty International has identified new macOS and Linux-targeting variants of the infamous FinFisher-made spyware family FinSpy.
While diving deeper into the use of FinSpy by a hacking group dubbed NilePhish, which is believed to be state sponsored, Amnesty International discovered previously unknown samples targeting Linux and macOS, along with an infrastructure to distribute the Windows variant of the spyware disguised as an Adobe Flash Player installer.
Amnesty International identified the Linux and macOS FinSpy samples on a server that does not appear related to NilePhish, but which likely belongs to a different spyware operator, and says that they were created between April 2019 and November 2019.
Development of the macOS FinSpy samples likely started in 2013, but Amnesty International believes that the spyware was packaged for use in November 2019 only.
The organization also analyzed an Android sample that shows multiple layers of obfuscation, employs Unix sockets for communication between threads, stores configuration data directly in the Dex file, and can be reconfigured via SMS. A FinSpy for Windows variant was identified as well, distributed as a backdoored version of the WinRAR software.