A commercially available spyware tool intended for law enforcement agencies is turning up in countries where it should never have been sold, raising concerns that it could be commandeered by cyber crooks.
The firm said it has analysed characteristics that enable it to identify communications between the tool and C&C servers.
Rapid7 used this fingerprint to track the spyware and found 12 C&C servers in the US, Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, Mongolia, Latvia and Dubai.
Security researcher Claudio Guarnier said that while the company could not confirm whether agencies or governments were actively using the tool to mount cyber spying campaigns, it was unlikely the spy tool was yet being used by cyber criminals.
"We are not able to determine whether they're actually being used by any government agency, if they are operated by local people or if they are completely unrelated at all," wrote Guarnier.
"The malware seems fairly complex and well protected/obfuscated, but the infection chain is pretty weak and unsophisticated. The ability to fingerprint the C&C was frankly embarrassing, particularly for malware like this. Combined, these factors really don't support the suggestion that thieves refactored the malware for black market use."
Last month, Bloomberg reported Gamma Group claims that copies of its software that were found in Bahrain must have been stolen.
However, Guarnier warned that given the nature of cyber crime, it was likely that FinFisher would soon be adopted by criminals.
"Once any malware is used in the wild, it's typically only a matter of time before it gets used for nefarious purposes," wrote Guarnier.
"The infosec community needs to pay attention and take malware exposure seriously. Take action to protect infrastructure and discourage the spread, production and purchase of malware. As we've seen countless times before, and will certainly see again, it's impossible to keep this kind of thing under control in the long term."
FinFisher is able to record Skype and other voice-over-IP (VoIP) communications, log keystrokes and turn on a computer's webcam and microphone. FinFisher can also steal files from a hard disk and is built to bypass numerous anti-virus systems.
At the time of writing, Gamma Group had not responded to requests from V3 for comment on Rapid7's findings.
Systrom and Krieger taking time off "to explore our curiosity and creativity"
Comcast's £29.7bn winning bid more than twice the £13.7bn Rupert Murdoch valued Sky at just eight years ago
A nuclear strike has been considered, but Bruce Willis is nowhere in sight
Spray-on antenna could enable seamless integration of antennas with everyday objects