A recently discovered backdoor program designed to compromise Windows users has strong ties to HenBox, an Android-based malware known to target members of the Uyghur ethnic group in China, as well as smartphones from Chinese manufacturer Xiaomi.
Dubbed Farseer, the previously undisclosed malware dates back at least two-and-a-half years, according to Palo Alto Networks’ Unit 42 researchers Alex Hinchliffe and Mike Harbison in a Feb. 26 company blog post. Unit 42 has tracked more than 30 unique samples over that span of time — and while most emerged in 2017, new samples have appeared as recently as the last two months.
The malware appears to be the latest known cyber weapon available to the attack group associated with HenBox, which is also affiliated with the malware programs Poison Ivy, PlugX, Zupdax, 9002 RAT and PKPLUG malware.
An early sample reportedly delivered a decoy PDF document featuring a copied news article from a Myanmar website that reports news in the Southeast Asia region — a clue that Farseer’s intended victims are located in this geographic area.
Unit 42 says that Farseer essentially acts as a cyberespionage tool that beacons to the attackers’ command-and-control servers for instructions. To avoid detection during the infection process, it employs DLL sideloading techniques — using trusted, vendor-signed binaries to load malicious code.
Additionally, “some payloads are encrypted on disk preventing analysis, especially as decompression and decryption occurs at runtime, in-memory, where code is further altered to thwart forensic analysis,” the blog post continues.
Commonalities between Farseer, HenBox and the other related malware types include file hashes, IP addresses, domain names and config files.