Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘Farseer’ Backdoor Targets Users in South East Asia

A recently discovered backdoor is used in attacks targeting victims in and around the South East Asia region, Palo Alto Networks security researchers warn.

A recently discovered backdoor is used in attacks targeting victims in and around the South East Asia region, Palo Alto Networks security researchers warn.

Dubbed Farseer and targeting Windows computers, the malware appears to be connected to the HenBox Android malware family that was found last year being used in cyber-espionage attacks focused on the Uyghur population. 

The infrastructure behind both HenBox and Farseer is tied to other malware as well, including Poison Ivy, Zupdax, and PKPLUG, the security researchers say. The infrastructure used by these malware families is vast and the overlaps are plenty. 

More than 30 unique Farseer samples have emerged over the past two years, mostly in 2017, though some were seen in 2018 too. The most recent of them were spotted during the past two months. 

The most recent sample introduces a new command and control (C&C) domain to the Farseer set, but that domain was also used by some Poison Ivy samples as their C&C. Previous activity is fairly old, dating back to mid-2015, but the domain is in fairly active use, with the most recent activity dating December 2018. 

In addition to this C&C, Farseer and Poison Ivy infrastructure overlaps include the use of two other domains, as well as the use of third-level domains as the C&C, and a couple of IP addresses. On top of that, Farseer overlaps with HenBox and PlugX samples through multiple C&C domains and IP addresses. Farseer was also tied to domains and custom Gh0st RAT malware samples.

“It’s possible the infrastructure relates to the same group, or multiple groups, conducting various attacks against different operating systems using the various malware families described in this, and related, reports. The possible ties require further investigation,” Palo Alto Networks points out.

Farseer employs DLL sideloading to load its payload. The malware’s configuration files share similarities with those of HenBox, starting with the fact that both are text files that are read and parsed at run-time. For persistence, Farseer creates a registry entry to run a VBS script that executes bscmake.exe, and thus the malware itself. 

Advertisement. Scroll to continue reading.

“In this case, we do not have great visibility into the targets of the Farseer malware. However, given our existing knowledge based on previous research, and around malware with closely-related infrastructure, together with certain targeting themes seen in some Farseer samples, it is highly likely that victims lay in and around the South East Asia region,” Palo Alto Networks says. 

Farseer payloads, the researchers note, are backdoors that receive instructions from pre-configured C&C servers and which use various techniques to evade detection and inhibit analysis, including DLL sideloading using trusted, signed executables. Payloads are encrypted on disk and decompression and decryption occur at runtime, in-memory, where code is further altered to hinder forensic analysis.  

“Whereas HenBox posed a threat for devices running Android, Farseer is built to target Windows, which appears to be more typical given previous threats seen from the group or groups behind this, and related malware,” the researchers conclude. 

Related: New “HenBox” Android Malware Discovered

Related: Backdoor Targeting Malaysian Government a “Mash-up” of Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.