Researchers have uncovered a new family of malware called “Farseer” that’s designed to conduct surveillance against Windows users.
Discovered by Palo Alto Networks, Farseer works by using a technique known as “DLL sideloading” to drop legitimate, signed binaries to the host. These binaries usually consist of trusted applications that don’t raise any red flags with anti-virus software. As such, they’re able to ultimately load “sys.dll” as the malicious payload without generating any alerts.
Once it begins running, “sys.dll” locates another file named “stub.bin.” It then loads “sys.dat,” a configuration file for Farseer’s communications with its command and control (C&C) server.
This particular file stands out because it shares certain similarities with the config resource used by HenBox. In March 2018, Palo Alto Networks first discovered this Android malware family masquerading as VPN and Android system apps in an effort to target Uyghurs, a Turkic ethnic group consisting primarily of Muslims which lives in the Xinjiang Uyghur Autonomous Region in North West China. The security firm’s researchers subsequently took a closer look at HenBox and found that it shares ties to infrastructure used in previous targeted attacks involving threats like PlugX, Zupdax, 9002 and Poison Ivy.
Palo Alto Networks verified that these same connections apply to Farseer.
With its configuration file loaded, Farseer creates a registry entry that runs a VBS script and executes “bscmake.exe.” This step ensures that the malware loads up every time a user logs onto their Windows machine. At that point, it can collect information about the infected host and report back to its C&C.
Researchers at Palo Alto Networks see Farseer as a step to ramp up threat activity in South East Asia. As they explain in their blog post:
The threat actors behind Farseer, and related malware including HenBox, continue to grow their armoury with the addition of this previously-unknown malware family. The overlapping infrastructure, shared TTPs and similarities in malicious code and configurations highlights the web of threats used to target victims in and around the South East Asia region and perhaps beyond.
Given this increased activity, users should make sure that they install mobile apps from only official app marketplaces and that they keep an eye out for common phishing techniques.