Aug 8th, 2014
- Whats in the torrent:
- The qateam/ folder is a copy of what appeared to be a QA server with copies of
- all their Finspy Mobile malware.
- The www/FinFisher folder is a dump of https://www.gamma-international.de/FinFisher/
- That's where their customers went to download whatever they had purchased.
- Unfortunately, the downloads are all either encrypted zip or gpg files. But, on
- the chance that the encryption can be cracked (throw enough GPU at the zip
- files), it'll have everything. The only unencrypted thing in that part is
- FinFisher/Sales, which does have some semi-interesting stuff like a price list.
- The www/GGI folder is a copy of http://finsupport.finfisher.com/
- A dump of it's database is in Database.sql
- That's where all their customers went for support questions. Often the
- finfisher staff would reply over e-mail, and unfortunately I wasn't able to
- get the mail servers. The most interesting things there are the support_request
- and feedback tables in the database combined with the Support/Attachments
- folder. There's also some decent stuff in Product/Documents and Product/Updates.
- The www/conf folder has the webalizer stats on their visitors
- The www/ffw folder has their FinFly-Web demo site.
- Customers I've identified:
- 29 - the Bahraini group, in support requests they ask for help setting up a
- website targetting activists in 14 Feb, and in another support request they
- attach their C&C server logs. The names of people with admin access to the
- FinSpy server are in the server logs, grep for "user name:"
- Abdulla Husain, Ahmad, Abdulla Al Eid, Yousif Al Sadiq, Rizwan Saleem, Sayed
- Ansar Husain, Humayun, and Mohammed Al Majed
- From metadata in attached word documents.
- 69 - PCS Security Pte Ltd
- 49 - Cliff Harris
- From text in support_request or feedback table:
- 21 - Nasser Alnuaimi Qatar state security bureau
- 82 - Sanjin Custovic, Intelligence-Security Agency of Bosnia and Herzegovina
- 73 - Peter Balogh, SSNS - NBSZ hungary secret service
- 61 - Wim Bordeyne, gives work e-mail of firstname.lastname@example.org although skynet.be is
- an ISP?
- 48 - Vietnam
- 65 - Nigeria
- 18 - Mongolia, and their email email@example.com appears in this whois record:
- From their username in customer table:
- 34 - Dyplex
- 9 - Trovicor
- 10 - Elaman
- 23 - Cobham
- From gpg key used for their product download:
- 68 - Jochen van der Wal, technical engineer for KLPD (dutch police)
- other customer gpg keys that are on keyservers but it doesn't identify them:
- 43 - USB on Fire <firstname.lastname@example.org>
- 14 - email@example.com
- Employees identified from gpg keys:
- (1) Alfons Rauscher <firstname.lastname@example.org>
- 1024 bit DSA key 66878388, created: 2013-04-17
- (1) Hari Purnama (pgp) <email@example.com>
- 2048 bit RSA key A7A4AC21, created: 2013-03-05
- (1) Melvin Teoh (Gamma Group) <firstname.lastname@example.org>
- 2048 bit RSA key D81082F4, created: 2012-03-08
- (1) Alexander Hagenah <email@example.com>
- 2048 bit RSA key 3F895273, created: 2013-03-05
Please, Sign In to add comment