A new malware family called Farseer has been found conducting surveillance against Windows users. The malware shares strong similarities with HenBox, an Android-based malware known to target Xiaomi IoT devices and members of the Uyghur ethnic group in China.
How does it spread - Discovered by Palo Alto Networks Unit 42, Farseer works by using a technique known as ‘DLL sideloading’ to drop legitimate, signed binaries to the host. Apart from HenBox, the new malware is also associated with other malware programs such as Poison Ivy, Zupdax and PKPLUG.
The malware is generally spread through phishing campaigns and malicious PDF files that employ social engineering tactics. An early investigation revealed that the sample was delivered through a fake PDF document featuring a copied news article from a Myanmar website.
What can it do - Unit 42 researchers disclosed that the new Farseer employs DLL sideloading technique to bypass detection during the infection process.
“To achieve this, the malware begins by dropping known, legitimate, signed binaries to the host. These binaries, signed by Microsoft or other vendors, are typically trusted applications when checked by antivirus software or the operating system and thus do not raise any suspicious alerts,” researchers explained.
The malware also acts as a cyberespionage tool by behaving as a backdoor and communicating with command and control (C2) servers to download additional payloads.
"The obfuscation routine used in this case -- and many others -- is simply ASCII encoding where characters are replaced with their ASCII value; other variants have used stronger, custom encryption algorithms to hide configuration data," Palo Alto researchers said.
Why it matters - In total, around 30 unique samples of the malware have been spotted over the past two and a half years. Although the number is low, researchers claim that the Farseer malware can be used in the future to ramp up the threat activities in South East Asia.