
FinFisher: A researcher’s tale of defeating traps, tricks, and complex VM's - peter_d_sherman
https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/
======
peter_d_sherman
>"FinFisher is such a complex piece of malware that, like other researchers,
we had to devise special methods to crack it. We needed to do this to
understand the techniques FinFisher uses to compromise and persist on a
machine, and to validate the effectiveness of Office 365 ATP detonation
sandbox, Windows Defender Advanced Threat Protection (Windows Defender ATP)
generic detections, and other Microsoft security solutions.

This task proved to be nontrivial. FinFisher is not afraid of using all kinds
of tricks, ranging from junk instructions and “spaghetti code” to multiple
layers of virtual machines and several known and lesser-known anti-debug and
defensive measures. Security analysts are typically equipped with the tools to
defeat a good number of similar tricks during malware investigations. However,
FinFisher is in a different category of malware for the level of its anti-
analysis protection. It’s a complicated puzzle that can be solved by skilled
reverse engineers only with good amount of time, code, automation, and
creativity. The intricate anti-analysis methods reveal how much effort the
FinFisher authors exerted to keep the malware hidden and difficult to
analyze."

