Farseer malware brings Windows exploits to attack group's Android arsenal

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A new brand of malware has been developed to give a threat group the tools required to attack Windows operating systems alongside their usual Android targets.

On Tuesday, cybersecurity researchers from Palo Alto's Unit 42 said the malware, dubbed Farseer, has connections to HenBox, a cyberespionage malware detected in 2018 in attacks against Google's Android operating system.

HenBox is found lurking in malicious Android apps including Virtual Private Network (VPN) services and system programs.
HenBox primarily targets the Turkish Uyghur group in order to steal data including personal and device information, including any phone numbers with a Chinese prefix. The malware is also able to compromise smartphone cameras and microphones.

This malicious software has been used in political, targeted attacks and the threat group connected to HenBox have used other malware dating back to 2015 including PlugX, Zupdax, 9002, and Poison Ivy.

Generally focused on smartphones, the hackers have now expanded their horizons with the launch of Farseer. The malware is spread through phishing campaigns and malicious .PDF files which employ social engineering tactics through the copy-and-paste of news articles sourced through a Myanmar website.

Farseer uses DLL sideloading by dropping known, legitimate binaries to a host which are signed, trusted applications passed by vendors including Microsoft and therefore are not deemed malicious by traditional antivirus solutions. Malicious payloads are nested inside imports to avoid detection and are also packaged and encrypted.

Obfuscated code is then loaded to create a backdoor and communicate with command-and-control (C2) servers for additional commands, which may include information theft.

"The obfuscation routine used in this case -- and many others -- is simply ASCII encoding where characters are replaced with their ASCII value; other variants have used stronger, custom encryption algorithms to hide configuration data," Palo Alto says.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top