SHARE
TWEET

Untitled

a guest Aug 8th, 2014 24,662 Never
  1. Whats in the torrent:
  2.  
  3. The qateam/ folder is a copy of what appeared to be a QA server with copies of
  4. all their Finspy Mobile malware.
  5.  
  6. The www/FinFisher folder is a dump of https://www.gamma-international.de/FinFisher/
  7. That's where their customers went to download whatever they had purchased.
  8. Unfortunately, the downloads are all either encrypted zip or gpg files. But, on
  9. the chance that the encryption can be cracked (throw enough GPU at the zip
  10. files), it'll have everything. The only unencrypted thing in that part is
  11. FinFisher/Sales, which does have some semi-interesting stuff like a price list.
  12.  
  13. The www/GGI folder is a copy of http://finsupport.finfisher.com/
  14. A dump of it's database is in Database.sql
  15. That's where all their customers went for support questions. Often the
  16. finfisher staff would reply over e-mail, and unfortunately I wasn't able to
  17. get the mail servers. The most interesting things there are the support_request
  18. and feedback tables in the database combined with the Support/Attachments
  19. folder. There's also some decent stuff in Product/Documents and Product/Updates.
  20.  
  21. The www/conf folder has the webalizer stats on their visitors
  22.  
  23. The www/ffw folder has their FinFly-Web demo site.
  24.  
  25.  
  26. Customers I've identified:
  27.  
  28. 29 - the Bahraini group, in support requests they ask for help setting up a
  29. website targetting activists in 14 Feb, and in another support request they
  30. attach their C&C server logs. The names of people with admin access to the
  31. FinSpy server are in the server logs, grep for "user name:"
  32. Abdulla Husain, Ahmad, Abdulla Al Eid, Yousif Al Sadiq, Rizwan Saleem, Sayed
  33. Ansar Husain, Humayun, and Mohammed Al Majed
  34.  
  35. From metadata in attached word documents.
  36. 69 - PCS Security Pte Ltd
  37. 49 - Cliff Harris
  38.  
  39. From text in support_request or feedback table:
  40. 21 -  Nasser Alnuaimi Qatar state security bureau
  41. 82 - Sanjin Custovic, Intelligence-Security Agency of Bosnia and Herzegovina
  42. 73 - Peter Balogh, SSNS - NBSZ hungary secret service
  43. 61 - Wim Bordeyne, gives work e-mail of h.isrd@skynet.be although skynet.be is
  44.      an ISP?
  45. 48 - Vietnam
  46. 65 - Nigeria
  47. 18 - Mongolia, and their email odmagnai@gmail.com appears in this whois record:
  48. http://wq.apnic.net/apnic-bin/whois.pl?searchtext=MAINT-MN-NITSYSTEM&form_type=advanced
  49.  
  50. From their username in customer table:
  51. 34 - Dyplex
  52. 9 - Trovicor
  53. 10 - Elaman
  54. 23 - Cobham
  55.  
  56. From gpg key used for their product download:
  57. 68 - Jochen van der Wal, technical engineer for KLPD (dutch police)
  58.  
  59. other customer gpg keys that are on keyservers but it doesn't identify them:
  60. 43 - USB on Fire <usbonfire@gmail.com>
  61. 14 - campo@campinator.com
  62.  
  63. Employees identified from gpg keys:
  64. (1)     Alfons Rauscher <alfons.rauscher@vervis.de>
  65.           1024 bit DSA key 66878388, created: 2013-04-17
  66. (1)     Hari Purnama (pgp) <hp@gammagroup.com>
  67.           2048 bit RSA key A7A4AC21, created: 2013-03-05
  68. (1)     Melvin Teoh (Gamma Group) <mt@gammmagroup.com>
  69.           2048 bit RSA key D81082F4, created: 2012-03-08
  70. (1)     Alexander Hagenah <ah@primepage.de>
  71.           2048 bit RSA key 3F895273, created: 2013-03-05
RAW Paste Data
Top