Using Volatility to Detect the FinFisher Suite
The Citizen Lab at the University of Toronto recently released a report describing an instance of the FinFisher Suite, a “Governmental IT Intrusion and Remote Monitoring Solution”, which was being sent to Bahraini activitists. In the report, the analysts used Volatility to detect “process hollowing” (malfind), detect hooked functions (apihooks), and extract other memory resident artifacts of “finspy” (memdump). It’s great to see that Volatility has become such a valuable resource to anti-virus companies and researchers dealing with “unknown” malware. Shouts to Morgan!
