Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

‘Farseer’ Backdoor Targets Users in South East Asia

A recently discovered backdoor is used in attacks targeting victims in and around the South East Asia region, Palo Alto Networks security researchers warn.

A recently discovered backdoor is used in attacks targeting victims in and around the South East Asia region, Palo Alto Networks security researchers warn.

Dubbed Farseer and targeting Windows computers, the malware appears to be connected to the HenBox Android malware family that was found last year being used in cyber-espionage attacks focused on the Uyghur population. 

The infrastructure behind both HenBox and Farseer is tied to other malware as well, including Poison Ivy, Zupdax, and PKPLUG, the security researchers say. The infrastructure used by these malware families is vast and the overlaps are plenty. 

More than 30 unique Farseer samples have emerged over the past two years, mostly in 2017, though some were seen in 2018 too. The most recent of them were spotted during the past two months. 

The most recent sample introduces a new command and control (C&C) domain to the Farseer set, but that domain was also used by some Poison Ivy samples as their C&C. Previous activity is fairly old, dating back to mid-2015, but the domain is in fairly active use, with the most recent activity dating December 2018. 

In addition to this C&C, Farseer and Poison Ivy infrastructure overlaps include the use of two other domains, as well as the use of third-level domains as the C&C, and a couple of IP addresses. On top of that, Farseer overlaps with HenBox and PlugX samples through multiple C&C domains and IP addresses. Farseer was also tied to domains and custom Gh0st RAT malware samples.

“It’s possible the infrastructure relates to the same group, or multiple groups, conducting various attacks against different operating systems using the various malware families described in this, and related, reports. The possible ties require further investigation,” Palo Alto Networks points out.

Farseer employs DLL sideloading to load its payload. The malware’s configuration files share similarities with those of HenBox, starting with the fact that both are text files that are read and parsed at run-time. For persistence, Farseer creates a registry entry to run a VBS script that executes bscmake.exe, and thus the malware itself. 

“In this case, we do not have great visibility into the targets of the Farseer malware. However, given our existing knowledge based on previous research, and around malware with closely-related infrastructure, together with certain targeting themes seen in some Farseer samples, it is highly likely that victims lay in and around the South East Asia region,” Palo Alto Networks says. 

Farseer payloads, the researchers note, are backdoors that receive instructions from pre-configured C&C servers and which use various techniques to evade detection and inhibit analysis, including DLL sideloading using trusted, signed executables. Payloads are encrypted on disk and decompression and decryption occur at runtime, in-memory, where code is further altered to hinder forensic analysis.  

“Whereas HenBox posed a threat for devices running Android, Farseer is built to target Windows, which appears to be more typical given previous threats seen from the group or groups behind this, and related malware,” the researchers conclude. 

Related: New “HenBox” Android Malware Discovered

Related: Backdoor Targeting Malaysian Government a “Mash-up” of Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.