Hello all,
I was working on an investigation of a PC that appeared to be compromised, and several findings pointed it out as possibly involved in nation-state-level APT activity.
One of the suspicious files that I uploaded to VirusTotal had a comment linking it to an APT campaign reportedly targeting India, allegedly linked to actors from Pakistan. The comment pointed out an article by Seqrite Labs-link here-discussing continuous cyberattacks against the Indian government conducted by Pakistani APT groups. That would seem to point to a confirmation of the hypothesis that this file belongs to a greater scheme of some sort.
Article link : https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/
Utilizing VirusTotal's FinFisher relationship graph showed me that another file from the same compromised PC shared its hash with a file already flagged as Gamma Group's FinFisher spyware. That led me deeper into an investigation, finding potential connections to command-and-control servers involved in FinFisher, raising very valid red flags regarding the nature of this compromise.
These findings lead me to conclude that FinFisher was used in-illegally-unsanctioned surveillance conducted in my region(East asia).
I would also appreciate any insight or advice from the community, particularly in respect to involvement by FinFisher in APT campaigns or deployment to conduct unauthorized surveillance. Any insights into further investigation or recommendations on deeper analysis will be greatly appreciated.
Thanks in advance for your inputs!