'Farseer' backdoor targets Windows systems, linked to 'HenBox' malware

News by Bradley Barth

A recently discovered backdoor program designed to compromise Windows users has strong ties to HenBox, an Android-based malware known to target members of the Uyghur ethnic group in China, as well as smartphones from Chinese manufacturer Xiaomi.

A recently discovered backdoor program designed to compromise Windows users has strong ties to HenBox, an Android-based malware known to target members of the Uyghur ethnic group in China, as well as smartphones from Chinese manufacturer Xiaomi.

Dubbed Farseer, the previously undisclosed malware dates back at least two-and-a-half years, according to Palo Alto Networks’ Unit 42 researchers Alex Hinchliffe and Mike Harbison in a 26 February company blog post. Unit 42 has tracked more than 30 unique samples over that span of time — and while most emerged in 2017, new samples have appeared as recently as the last two months.

The malware appears to be the latest known cyber weapon available to the attack group associated with HenBox, which is also affiliated with the malware programs Poison Ivy, PlugX, Zupdax, 9002 RAT and PKPLUG malware.

An early sample reportedly delivered a decoy PDF document featuring a copied news article from a Myanmar website that reports news in the Southeast Asia region — a clue that Farseer’s intended victims are located in this geographic area.

Unit 42 says that Farseer essentially acts as a cyber-espionage tool that beacons to the attackers’ command-and-control servers for instructions. To avoid detection during the infection process, it employs DLL sideloading techniques — using trusted, vendor-signed binaries to load malicious code.

Additionally, "some payloads are encrypted on disk preventing analysis, especially as decompression and decryption occurs at runtime, in-memory, where code is further altered to thwart forensic analysis," the blog post continues.

Commonalities between Farseer, HenBox and the other related malware types include file hashes, IP addresses, domain names and config files.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike