SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

FinFisher/FinSpy seen in targeted emails (July 31, 2012)


Dell SonicWALL Threats Research team received reports of a spying tool being sent as an attachment in spear phishing emails targeting activists. This spying tool called FinFisher/FinSpy has been linked to being covertly used by various governments for surveillance within and across their borders. The tool behaves like a Trojan and uses various stealth techniques to evade detection. It harvests user data and attempts to upload the encrypted data to a remote server.

The executable in the email attachment uses the following misleading icons:

The FinSpy tool when executed performs the following activities:

  • It creates the following files:
    • %appdata%\Microsoft\Installer\mssounddx.sys [Detected as GAV: FinSpy.A_3 (Trojan)]]
    • %appdata%\Microsoft\Installer\shellex32.dll [Detected as GAV: FinSpy.A_4 (Trojan)]]
    • %appdata%\Microsoft\Installer\{8171412B-B34C-4183-A4BB-057CEA02F7FB}\80C.dat (Harvested data)]
    • %appdata%\Microsoft\Installer\{8171412B-B34C-4183-A4BB-057CEA02F7FB}\(02-21)C.dat (Harvested data)]
    • %appdata%\Microsoft\Installer\{8171412B-B34C-4183-A4BB-057CEA02F7FB}\ico_ty23.ico (Harvested data)]
    • %temp%\delete.bat (Bat executable with commands to delete itself)

  • It creates the following registry key to ensure infection on reboot:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssounddx:"%appdata%\Microsoft\Installer\mssounddx.sys"

  • It hooks the following API in ntdll.dll:
    • CsrClientCallServer

  • It starts iexplorer.exe and injects code in to it

  • It attempts to contact the following remote servers: (These sub-domains no longer resolve)

  • It attempts to send encrypted data over TCP ports 22, 3111, 3112 and 3113:


  • It attempts to disguise itself as Mozilla Firefox as seen from the resource section:


Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:
  • GAV: FinSpy.A (Trojan)
  • GAV: FinSpy.A_2 (Trojan)
  • GAV: FinSpy.A_3 (Trojan)
  • GAV: FinSpy.A_4 (Trojan)
  • IPS: FinFisher Server Trafffic
  • IPS: FinFisher Client Connection Attempt

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2021 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 17.3 | S1MSW01