FinFisher an infamous spyware which was widely sold to the government organizations and other agencies. Security researchers at ESET discovered malware/surveillance campaigns utilizing variants of FinFisher in the wild.
“New surveillance campaigns utilizing FinFisher, are in the wild, featuring technical improvements, some of these variants have been using a cunning, previously-unseen infection vector with strong indicators of major internet service provider (ISP) involvement.” said the researcher in their blog post.
Involvement of ISPs is been suspected as they seem to be the “man” in this Man in the middle attack. The attack mechanism is one of its types which is why researchers assume that ISPs might be involved in these campaigns.
The Attack Scenario
When a user visits a legitimate site to install a legitimate application and click on the download link, they encounter an HTTP 307 redirect request and receives the file from the redirected location. The file from the redirected location is bind with FinFisher and legitimate application. This way user/victim thinks that he is having a legitimate application whereas he is in real downloading a malware.
(The HTTP 307 Temporary Redirect redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the Location headers. The method and the body of the original request are reused to perform the redirected request.)
Here is a pictorial representation of the attack scenario by ESET.
ESET researchers mentioned in their blog post that they found these campaigns in 7 countries but refused to disclose the name of any of them.