Farseer malware brings Windows exploits to attack group's Android arsenal

The new threat has been connected to attackers known for targeting Android devices.
Written by Charlie Osborne, Contributing Writer

A new brand of malware has been developed to give a threat group the tools required to attack Windows operating systems alongside their usual Android targets.

On Tuesday, cybersecurity researchers from Palo Alto's Unit 42 said the malware, dubbed Farseer, has connections to HenBox, a cyberespionage malware detected in 2018 in attacks against Google's Android operating system.

HenBox is found lurking in malicious Android apps including Virtual Private Network (VPN) services and system programs. 

HenBox primarily targets the Turkish Uyghur group in order to steal data including personal and device information, including any phone numbers with a Chinese prefix. The malware is also able to compromise smartphone cameras and microphones.

This malicious software has been used in political, targeted attacks and the threat group connected to HenBox have used other malware dating back to 2015 including PlugX, Zupdax, 9002, and Poison Ivy.

See also: MWC 2019: Your bionic hand is now at risk from hackers

Generally focused on smartphones, the hackers have now expanded their horizons with the launch of Farseer. The malware is spread through phishing campaigns and malicious .PDF files which employ social engineering tactics through the copy-and-paste of news articles sourced through a Myanmar website.

Farseer uses DLL sideloading by dropping known, legitimate binaries to a host which are signed, trusted applications passed by vendors including Microsoft and therefore are not deemed malicious by traditional antivirus solutions. Malicious payloads are nested inside imports to avoid detection and are also packaged and encrypted.

CNET: US reportedly took Russian trolls offline on Election Day in 2018

Obfuscated code is then loaded to create a backdoor and communicate with command-and-control (C2) servers for additional commands, which may include information theft.

"The obfuscation routine used in this case -- and many others -- is simply ASCII encoding where characters are replaced with their ASCII value; other variants have used stronger, custom encryption algorithms to hide configuration data," Palo Alto says.

In total, 30 unique samples of the malware have appeared on the radar over the past two and a half years. The researchers say there has been a "low volume but steady flow" of Farseer samples, which can be traced back to a web of infrastructure used to host other malware used by the group.

Seven known domains host the malware, four of which are also related to Poison Ivy, Zupdax, and PKPLUG, and all of which share at least one third-level domain in common.

The researchers believe this shared resource could indicate a "template being used for the infrastructure setup or based on the requirements of the malware's C2 communication."

TechRepublic: Why AI and ML are not cybersecurity solutions--yet

An interesting facet of Farseer is a tenuous connection to the 2015 Ghost Dragon campaign, which targets both Chinese and Russian users through customized Gh0st Remote Access Trojans (RATs). However, it is not possible to know just how strong these ties are, given the amount of time that has elapsed.

"Whereas HenBox posed a threat for devices running Android, Farseer is built to target Windows, which appears to be more typical given previous threats seen from the group or groups behind this, and related malware," the researchers say. "The overlapping infrastructure, shared TTPs and similarities in malicious code and configurations highlights the web of threats used to target victims in and around the South East Asia region and perhaps beyond."

Facebook's worst privacy scandals and data disasters

Previous and related coverage

Editorial standards