I wonder how much money our government has thrown out of the window for this, and I wonder how the truely great work from Microsoft pays off here. They claim to block Finfisher which is a large part of our German Bundestrojaner, and here is a wonderful and detailed blogpost about how they did it and about the amazing findings they made in the multiple layers of virtualization and obfuscations. “FinFisher is such a complex piece of malware that, like other researchers, we had to devise special methods to crack it.”
(Image source: https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/)
Finfisher is using an onion-like shell system of six layers around their payload (whatever that may be). And it has several virtual machines built-in with up to 32 opcodes specifically created for this system, all but to protect, obfuscate and hide the payload. But what does the payload do? On that, Microsoft’s engineers write:
“It is evident that the ultimate goal of this program is to steal information. The malware architecture is modular, which means that it can execute plugins. The plugins are stored in its resource section and can be protected by the same VM. The sample we analyzed in October, for example, contains a plugin that is able to spy on internet connections, and can even divert some SSL connections and steal data from encrypted traffic.”
A really good read this article is. And if you find the time, read this amazing work by Tora.