#proxying — Public Fediverse posts

One of the key attributes of #StateSponsoredMalware™ from #GammaGroup's #FinFisher #FinSpy #Finsky is understanding that it is a shim based mish mash of resident files that point to different parts of the other background services running.

Some are replaced stock system files modified to look like and are named the same as the original but are supplemented with additional API's that call the mutiple shims that has as it's main goal of getting complete persistence on your systems if it has not done so already.

🚩🚩🚩🚩One first sign is the battery drain this software uses. It has a weird side effect of NOT logging in this battery usage like normal applications and system. 🚩🚩🚩🚩

⚠️🚨⚠️🚨⚠️🚨⚠️ 🚨⚠️🚨⚠️🚨
This BATTERY DRAIN is a HUGE
first indicator of compromise.
⚠️🚨⚠️🚨⚠️🚨⚠️🚨⚠️🚨⚠️🚨

Second is checking the BACKGROUND programs running list. There are SEVERAL background programs that indicates you have been compromised by GammaGroup's software, especially on #Android , #IOS, #MacOS, #Windows, & #Linux.

There are attaccc features also which spread, from a library of PNGs with URL arrays embedded to their #malware services that launch attaccc's based on certain PSTN calls, web browsing & also MMS & SMS interactions.

For example, receiving an SMS or MMS can activate things on your computer or wireless device to do things like start a running process shim like start or restart specific services.

There is also a #MITM #ForcedMDM & #proxying ability to use your end point as an attaccc node completely behind the scenes without your intervention or knowledge unless you are logging your traffic which also could be bypassed also as has been seen previously. That is on purpose.

Continued..... #infosec #GreyMarket #CALEA #malware #investigations #RTDNA ☣️🔍🧐