A recently discovered backdoor is used in attacks targeting victims in and around the South East Asia region, Palo Alto Networks security researchers warn.
Dubbed Farseer and targeting Windows computers, the malware appears to be connected to the HenBox Android malware family that was found last year being used in cyber-espionage attacks focused on the Uyghur population.
The infrastructure behind both HenBox and Farseer is tied to other malware as well, including Poison Ivy, Zupdax, and PKPLUG, the security researchers say. The infrastructure used by these malware families is vast and the overlaps are plenty.
More than 30 unique Farseer samples have emerged over the past two years, mostly in 2017, though some were seen in 2018 too. The most recent of them were spotted during the past two months.
The most recent sample introduces a new command and control (C&C) domain to the Farseer set, but that domain was also used by some Poison Ivy samples as their C&C. Previous activity is fairly old, dating back to mid-2015, but the domain is in fairly active use, with the most recent activity dating December 2018.
In addition to this C&C, Farseer and Poison Ivy infrastructure overlaps include the use of two other domains, as well as the use of third-level domains as the C&C, and a couple of IP addresses. On top of that, Farseer overlaps with HenBox and PlugX samples through multiple C&C domains and IP addresses. Farseer was also tied to domains and custom Gh0st RAT malware samples.
“It’s possible the infrastructure relates to the same group, or multiple groups, conducting various attacks against different operating systems using the various malware families described in this, and related, reports. The possible ties require further investigation,” Palo Alto Networks points out.
Farseer employs DLL sideloading to load its payload. The malware’s configuration files share similarities with those of HenBox, starting with the fact that both are text files that are read and parsed at run-time. For persistence, Farseer creates a registry entry to run a VBS script that executes bscmake.exe, and thus the malware itself.
“In this case, we do not have great visibility into the targets of the Farseer malware. However, given our existing knowledge based on previous research, and around malware with closely-related infrastructure, together with certain targeting themes seen in some Farseer samples, it is highly likely that victims lay in and around the South East Asia region,” Palo Alto Networks says.
Farseer payloads, the researchers note, are backdoors that receive instructions from pre-configured C&C servers and which use various techniques to evade detection and inhibit analysis, including DLL sideloading using trusted, signed executables. Payloads are encrypted on disk and decompression and decryption occur at runtime, in-memory, where code is further altered to hinder forensic analysis.
“Whereas HenBox posed a threat for devices running Android, Farseer is built to target Windows, which appears to be more typical given previous threats seen from the group or groups behind this, and related malware,” the researchers conclude.