Threat Management, Threat Intelligence, Malware

‘Farseer’ backdoor targets Windows systems, linked to ‘HenBox’ malware

A recently discovered backdoor program designed to compromise Windows users has strong ties to HenBox, an Android-based malware known to target members of the Uyghur ethnic group in China, as well as smartphones from Chinese manufacturer Xiaomi.

Dubbed Farseer, the previously undisclosed malware dates back at least two-and-a-half years, according to Palo Alto Networks' Unit 42 researchers Alex Hinchliffe and Mike Harbison in a Feb. 26 company blog post. Unit 42 has tracked more than 30 unique samples over that span of time -- and while most emerged in 2017, new samples have appeared as recently as the last two months.

The malware appears to be the latest known cyber weapon available to the attack group associated with HenBox, which is also affiliated with the malware programs Poison Ivy, PlugX, Zupdax, 9002 RAT and PKPLUG malware.

An early sample reportedly delivered a decoy PDF document featuring a copied news article from a Myanmar website that reports news in the Southeast Asia region -- a clue that Farseer's intended victims are located in this geographic area.

Unit 42 says that Farseer essentially acts as a cyberespionage tool that beacons to the attackers' command-and-control servers for instructions. To avoid detection during the infection process, it employs DLL sideloading techniques -- using trusted, vendor-signed binaries to load malicious code.

Additionally, "some payloads are encrypted on disk preventing analysis, especially as decompression and decryption occurs at runtime, in-memory, where code is further altered to thwart forensic analysis," the blog post continues.

Commonalities between Farseer, HenBox and the other related malware types include file hashes, IP addresses, domain names and config files.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.