State-sponsored hackers suspected of targeting Kazakh lawyers and dissidents with cyberattacks
Like FinFisher, the new campaign also uses HTTP redirects for "on-the-fly" browser redirection to set up a man-in-the-middle attack and distribute StrongPity2 spyware Reuters

Security researchers have found that the notorious FinFisher malware has been replaced by a new spyware. Finfisher, also known as FinSpy, is sold to governments, nation states and intelligence agencies for extensive surveillance purposes and can be used for keystroke logging, snooping on webcams, microphones and web browsing as well as exfiltration of files.

ESET researcher Tomas Kafka reported that a new spyware dubbed StrongPity2 seems to have taken over for the infamous spyware and uses similar techniques as FinFisher.

Named after the group StrongPity, researchers said Win32/StrongPity2 has been used in man-in-the-middle attacks and exploits a number of popular websites to help install and spread the malware.

"As we reported in September, in campaigns we detected in two different countries, Man-in-the-Middle (MitM) attacks had been used to spread FinFisher, with the "man" in both cases most likely operating at the ISP level," Kafka wrote in a blog post on Friday (8 December).

However, the campaigns seemed to have disappeared on 21 September after ESET's findings on the same was published.

The campaign popped up again in one of those countries a month later using the same, unique structure as FinFisher.

Like FinFisher, the new campaign also uses HTTP redirects for "on-the-fly" browser redirection to set up a man-in-the-middle attack and distribute StrongPity2 spyware.

Several popular websites and their software have already been found to be targeted by the StrongPity group including CCleaner v 5.34, the Opera Browser, Skype, VLC Media Player v2.2.6 (32bit), Driver Booster and WinRAR 5.50.

"The first similarity is the attack scenario – users trying to download a software installation package were being redirected to a fake website serving a trojanized version of the expected installation package," ESET said. "The StrongPity group was observed performing such watering hole attacks in the summer of 2016, targeting mostly Italian and Belgian users of encryption software."

Researchers noted that some parts of StrongPity2's code is exactly the same as that of FinFisher while others were still notably similar. Both StrongPity 2 and FinFisher used the same uncommon obfuscation algorithm and libcurl version 7.45. They even exfiltrated files the same way.

Besides exfiltrating data, Win32/StrongPity2 also has the ability to download and execute almost any other malicious software using the privileges held by the compromised account.

So far, ESET said it has recorded more than 100 detections of the malware. However, they noted that it is possible to scan for and remove the spyware using free tools available through different sources.