Farseer: Previously Unknown Malware Family bolsters the Chinese armoury

Last year, Unit 42 wrote about a newly discovered espionage Android malware family, HenBox, which had countless features for spying on their victims – primarily the Uyghur population – including interaction with Xiaomi IoT devices, and the Chinese consumer electronics manufacturer’s smart phones. 

Through investigations into infrastructure used by HenBox malware, Unit 42 has discovered another malware family built for the more frequently-targeted Microsoft Windows operating system we named ‘Farseer’. As with HenBox, Farseer also has infrastructure ties to other malware, such as Poison Ivy, Zupdax, and PKPLUG.  

We named this malware Farseer malware due to a string found in the PDB path embedded within the executable files. For example:  


Tracking-back, we’ve seen over 30 unique samples throughout the past two and half years, with the majority in 2017 and a handful in 2018, the most recent of which were seen, at least from our visibility, during the last two months indicating a relatively low-volume yet steady flow of Farseer samples. Figure 1 below shows the trend of malicious sessions for these samples according to AutoFocus. 


Figure 1 AutoFocus session trends for Farseer samples over time  

Ties to HenBox Android Malware et al 

As previously mentioned, there are ties between Farseer, HenBox, PlugX, Zupdax, 9002, and Poison Ivy malware families. The infrastructure used by the combination of malware families is pretty vast, with plenty of overlaps, however in this blog we focus only on some of the core ties captured in the green rectangle, as shown in Figure 2 below. 


Figure 2 Maltego chart showing overlaps between Farseer and related threats  

Figure 2 shows a high-level representation of file hashes, IP addresses, and domain names used by some of the various malware families already mentioned, together with their overlaps. Farseer has the largest number of samples in Figure 2 but that’s skewed given the focus of this blog. 

 The green rectangle shows some of the core overlaps between the aforementioned families, which we will discuss in more detail now. 

 The most recent (at the point of publishing) Farseer sample (SHA256: 271E29FE… detailed in Table 2 below) introduced a new C2 domain – tcpdo[.]net – into the Farseer set, as shown in Figure 3 below. 


Figure 3 Maltego diagram showing tcpdo[.]net and other Farseer / PoisonIvy overlaps. 

 Figure 3 shows how this new (to Farseer) domain relates both directly to said Farseer sample and indirectly, through third-level domains and IP addresses, to other Farseer samples; a handful of Poison Ivy samples have also used this domain as their C2, mostly before this Farseer sample – as early as mid-2015 – but also more recently, one month after, on December 17th, 2018 indicating it’s a domain in fairly active use. Third-level domains of tcpdo[.]net, together with all other indicators are listed at the end of this blog. 

 The overlaps between Farseer and Poison Ivy don’t end with tcpdo[.]net. Much like with HenBox, other infrastructure ties exist: directly through sony36[.]com and  md.son36[.]com; indirectly through third-level domains of tcpdo[.]net and IP addresses 45.32.251[.]7 and 45.32.53[.]250. 

 Farseer also overlaps with HenBox and PlugX samples through multiple C2 domains and IP address resolutions:  

  • outhmail[.]com (and third-levels of this domain) 
  • cdncool[.]com (and third-levels of this domain) 
  • www3.mefound[.]com 
  • w3.changeip[.]org 
  • www5.zyns[.]com  
  • 45.32.53[.]250 
  • 45.32.44[.]52 
  • 45.32.45[.]77 
  • 59.188.196[.]162 
  • 59.188.196[.]172 

Domain outhmail[.]com was documented as part of research into a 9002 Trojan delivered through Google Drive back in 2016 further expanding the capabilities of this group and its tools.

Ghost Dragon Overlaps  

Before we detail the Farseer malware itself, it’s worth noting another overlap we encountered during this research. Third-level domain 3w.tcpdo[.]net, as shown towards the bottom of Figure 4 below, resolved to IP 175.45.192[.]234 in 2015. This IP address relates to domains and custom Gh0st RAT malware samples, some of which are documented in this Ghost Dragon campaign report. Considering the time that’s passed since this publication, it’s harder to investigate how strong the ties are, however, the two domains used by Poison Ivy (md5c[.]net) and Farseer (3w.tcpdo[.]net) have resolved to that IP address more recently than documented in the Ghost Dragon report. Specifically, June 2015, and between July and August 2015, respectively for Poison Ivy and Farseer; these two domains and five others – adminloader[.]com, csip6[.]biz, cdncool[.]com, linkdatax[.]com and adminsysteminfo[.]com – have a common registrant, 46313@QQ[.]COM  but no such commonality exists within the set of known Ghost Dragon domains.  

It’s possible the infrastructure relates to the same group, or multiple groups, conducting various attacks against different operating systems using the various malware families described in this, and related, reports. The possible ties require further investigation. 


Figure 4 Maltego chart showing overlaps to Ghost Dragon campaign  

C2 Server Structure 

 As previously mentioned in the first HenBox blog, a common registrant registered seven known domains, four of which had malicious activity related to Poison Ivy, Zupdax, and PKPLUG malware families. Interestingly, all of the domains share at least one third-level domain in common, perhaps indicating a template being used for the infrastructure setup or based on the requirements of the malware’s C2 communication. Table 1 below lists the commonalities, aside from other domains such as www, mail and dns.  

Domain / Third-level Domain  info.  re.  update.  up. 

Table 1 Common third-level domain names 

Farseer Malware 

Now that we have introduced Farseer, and how it relates to other known malware families, let’s dive into how the malware works. This section aims to provide a description of the general behavior for this malware based on a small subset of total set of samples; a more detailed description exists in the technical appendix.

Figure 5, below, describes at a high-level the post-installation execution flow of a typical Farseer sample.

Figure 5 Farseer Execution Flow

Farseer employs the known technique of DLL sideloading – the use of trusted binaries to load malicious code – to load its payload, see Figure 5. To achieve this, the malware begins by dropping known, legitimate, signed binaries to the host. These binaries, signed by Microsoft or other vendors, are typically trusted applications when checked by antivirus software or the operating system and thus do not raise any suspicious alerts. Figure 6 below shows the import library list for both the benign PE files highlighting how the nested imports work to ultimately load sys.dll – the malicious payload. 

 Figure 6 bscmake.exe importing mspdb80.dll importing Farseer’s sys.dll  

The payload on disk is an encrypted and compressed file that most antivirus software will not flag as malicious since the underlying code is hidden. More information about how the decompression and decryption can be found in the appendix.  

Once sys.dll is running, it locates a file named stub.bin located in the same folder, and in-turn loads the Farseer config file, sys.dat, on disk. The config relates to C2 communications, amongst other things.   

The following two code excerpts show the obfuscated and deobfuscated versions of this variant’s configuration file. The obfuscation routine used in this case – and many others – is simply ASCII encoding where characters are replaced with their ASCII value; other variants have used stronger, custom encryption algorithms to hide configuration data. Details are in the appendix.

The line items in the second code excerpt above are represented as follows:  

  • p1 relates to the C2 FQDN; 
  • p2 is the TCP port used for C2 – many variants use non-standard TCP ports;  
  • p3 is missing;  
  • p4 appears to be a version string of some sort, which is sent as part of the C2 communication – other variants have used strings, such as “mark”;  
  • p5 is the full file path from where the malware was launched. 

Farseer config files share some similarities with those of HenBox, as documented here and shown in Figure 7 below for convenience.  

 Figure 7 Screenshot of HenBox configuration file, setting.txt  

Both are text files, read and parsed at run-time; more often than not, the ASCII data is obfuscated using encoding methods of varying sophistication. Perhaps the most notable similarity is the notation of the content, which in both malware families:  

  • is delimited by an ‘=’ equals character; 
  • uses a single character followed by a single digit starting from 1 to begin each line; 
  • has the C2 host/FQDN on the first line; 
  • has the TCP port to use to connect the C2 on the second line; 

For persistence on the host, the Farseer malware creates a registry entry named sys under:


The entry runs the VBS script slmgr.vbs shown below, which executes bscmake.exe, and thus Farseer, each time a user logs on to their PC. 

 createobject(“wscript.shell”).run “C:\Users\[username]\AppData\Roaming\windows\bscmake.exe”  

One of the earliest Farseer samples Unit 42 analysed also used a decoy PDF document during execution. The PDF content included a copied news article from a Myanmar website that reports on news in the Southeast Asia region. The file properties of said PDF, as shown below, describe the language setting of the application that created it, together with the creation date – eight days prior to the Farseer sample that used the document. 

 Language     : zh-CN

Author       : Administrator

Creator      : Microsoft® Word 2013

Create Date  : 2016:04:11 11:06:30+08:00

Modify Date  : 2016:04:11 11:06:30+08:00

More information about this variant of Farseer, and the decoy PDF, can be found in the appendix section. 


In this case, we do not have great visibility into the targets of the Farseer malware. However, given our existing knowledge based on previous research, and around malware with closely-related infrastructure, together with certain targeting themes seen in some Farseer samples, it is highly likely that victims lay in and around the South East Asia region. 

ATT&CK Techniques Observed 

ID  Technique 
T1140  Deobfuscate / Decode Files or Information 
T1071  Standard Application Layer Protocol 
T1060  Registry Run Keys / Startup Folder 
T1045  Software Packing 
T1073  DLL Side-Loading 
T1065  Uncommonly Used Port 
T1043  Commonly Used Port 
T1328  Buy domain name 
T1319  Obfuscate or encrypt code 


The threat actors behind Farseer, and related malware including HenBox, continue to grow their armoury with the addition of this previously-unknown malware family. The overlapping infrastructure, shared TTPs and similarities in malicious code and configurations highlights the web of threats used to target victims in and around the South East Asia region and perhaps beyond.  

Farseer payloads are backdoors that beacon to pre-configured C2 servers for instructions. The malware uses various techniques to evade detection and inhibit analysis. For example, DLL sideloading using trusted, signed executables allows the malware to execute rather seamlessly; some payloads are encrypted on disk preventing analysis, especially as decompression and decryption occurs at runtime, in-memory, where code is further altered to thwart forensic analysis.  

Whereas HenBox posed a threat for devices running Android, Farseer is built to target Windows, which appears to be more typical given previous threats seen from the group or groups behind this, and related malware.  

Palo Alto Networks customers are already protected via:  

  • All samples in this report have a malicious verdict in WildFire. 
  • Traps advanced endpoint protection detects Farseer malware. 
  • Domains have been classified as malicious. 
  • AutoFocus tags are available for additional context: Farseer. 


The technical analysis of Farseer malware is described in this section. Table 2 below lists the samples we have chosen for our investigation. The list includes a couple of recent samples and the first Farseer sample seen, according to our data, to highlight key differences in the threat’s evolution.  

#  SHA256  First Seen (Pacific Time)  Key Indicator / Domain 
1  271E29FE8E23901184377AB5D0D12B40 D485F8C404AEF0BDCC4A4148CCBB1A1A  11/17/2018 10:11:16 pm  tcpdo[.]net:158 
2  4AB41A025624F342DEB85D798C6D6264 A9FB88B8B3D9037CF8D5248A9F730339  04/02/2018 7:18:07 pm  honor2020[.]ga:993 
3  9E08EFC73DC9145358898D2735C5F31D 45A2571663C7F4963ABD217AE979C7CA  04/19/2016 6:26:15 pm  outhmail[.]com:80 

Table 2 Samples discussed in this blog  

Farseer employs the known technique of DLL sideloading – the use of trusted binaries to load malicious code – to load its payload, see Figure 5. To achieve this, the malware begins by dropping known, legitimate, signed binaries to the host. These binaries, signed by Microsoft or other vendors, are typically trusted applications when checked by antivirus software or the operating system and thus do not raise any suspicious alerts.  This technique takes advantage of the Windows search order for loading dependencies when a program launches. By default, the Windows loader will first look for any dependency files of the executable in its current working directory. If found, the executable will then load them into memory. With this in mind, the actors place their malicious DLL’s in the same directory as the signed executable that was dropped on disk. By naming them as dependency files of that executable, the malicious code will run whenever the executable is started.  

Now that the actor has found a way to execute malicious code on the host, they use it to load their final payload, which contains the core functionality of the Farseer malware. The payload on disk is an encrypted and compressed file that most antivirus software will not flag as malicious since the underlying code is hidden. To avoid detection from users and blend with the Windows file system, the payload files themselves have innocuous or common Windows file names and extensions.   

Decompression and decryption of the payload occurs only at runtime, in-memory, and the in-memory code is altered to thwart forensic analysis. This is achieved by deconstructing the import address table (IAT) and resolving necessary API calls manually versus relying on the Windows loader.  In addition, it further avoids IAT reconstruction by using what is known as stolen code technique, wherein some of the instructions in the beginning of an API subroutine are emulated somewhere else in an allocated memory region.  This can cause unexpected results during memory analysis as the IAT API’s cannot be resolved.  We determined that the in-memory payloads are backdoors that beacon to a pre-configured command and control server (C2) for instructions.  

First, bscmake.exe runs and imports mspdb80.dll, one of its dependency files. Bscmake.exe is an older Microsoft executable that is part of Visual Studio. When mspdb80.dll is loaded, it will import its dependency files, one of which is sys.dll. It should be stated that both bscmake.exe and mspdb80.dll are known, trusted files signed by Microsoft Corporation and have not been modified. Sys.dll however is the Farseer malware and is responsible for loading the encrypted file stub.bin file in-memory and begins code execution.  


Figure 8 Sys.dll loading stub.bin 


Figure 8 illustrates the connection between sys.dll and stub.bin. When sys.dll is loaded it will look for stub.bin in the current working directory. 


The most recent Farseer sample (#1, as per Table 2 above) communicates with update.tcpdo[.]net over TCP port 158. The contents of the network communications are encoded, unlike the earlier Farseer samples that used no encoding, highlighting one of many changes in the evolution of this malware. Figure 10 below highlights some of the key differences between the three samples used in the analysis for this appendix section.  

Figure 9 Timeline for 3 Farseer samples in analysis; comparing notable differences  

Sample #2 (SHA256: 4AB41A025…) behaves almost identically as the others but with the following differences: 

  • Persistent VBS script renamed to common.vbs 
  • Encoded network communications 
  • Configuration file renamed to base.dat 
  • Encrypted and compressed configuration file 
  • Does not employ the use of any decoy documents  

This sample, seen in early April 2018, communicates with honor2020[.]ga, which started resolving to 199.247.25[.]110 in August 2018, according to Passive Total.  

Domain honor2020[.]ga bucks the trend when compared to others’ third-level domains, as per Table 1, above. From what we can tell, it has no such subdomains.  

Other Farseer samples fall into the same bucket as honor2020[.]ga. That is, they have no third-level domains, or don’t match the pattern of others, and they share no overlaps to existing infrastructure whether used by Farseer or other malware families. Examples include windowsnetwork[.]org and newfacebk[.]com. The latter does share one third-level domain with the others in Table 1 but that’s where the commonality ends. 

Reviewing the dozen or so domains resolving to 199.247.25[.]110, most also make use free ccTLDs from Freenom, including .tk and .ml as per the .ga in honor2020[.]ga. At this point, these domains and others resolving to this IP appear unrelated to Farseer, except for honor2020[.]ga that is connected to Farseer sample 4AB41A025…. It’s possible honor2020[.]ga was simply chosen during testing for this more recent Farseer sample but whatever the reason, it’s a change from the typically-used .com, .net and .org TLDs used by other samples.  

The final sample to discuss (9E08EFC73…) as per Table 2 above, is the oldest sample we have record of in AutoFocus, seen on April 19th, 2016. In this case, a decoy PDF file is dropped and executed from the victim’s %TEMP% folder as the malware continues to execute – a behavior not seen again in other Farseer samples. The PDF has filename “Dateline Irrawaddy “Corruption Is Still Rampant Despite The Anti-Corruption Law.pdf” and file properties as shown below, describing the language setting of the application that created it, together with the creation date – eight days prior to us seeing the sample. 

Language     : zh-CN

Author       : Administrator

Creator      : Microsoft® Word 2013

Create Date  : 2016:04:11 11:06:30+08:00

Modify Date  : 2016:04:11 11:06:30+08:00

The content of the benign PDF (shown in Figure 10 below) appears to be a direct copy / paste from old content once posted on the Irrawaddy[.]com news website; their mission “to cover the news in Burma/Myanmar and Southeast Asia accurately and impartially.” From what we can tell, the article shown in the PDF was published on the news website sometime in early April 2016, and used as a timely and potentially very topical, social engineering theme for the attack. 

Figure 10 Decoy PDF dropped by earliest version of Farseer malware  

Whilst the decoy PDF is shown to the victim, Farseer continues with the execution process by first creating a Windows sub-folder within the victims C:\Users\[username]\AppData\Roaming folder and drops into it the files listed in Table 3 below.  

Filename  Size in bytes  File Type / Comment 
bscmake.exe  77,312  Application signed by Microsoft; used in DLL sideloading technique 
mspdb80.dll  193,024  Microsoft-signed file imported by bscmake.exe 
slmgr.vbs  260  Shell-executes bscmake.exe 
stub.bin  71,767  Encrypted in-memory payload 
sys.dat  297  Config file read by stub.bin 
sys.dll  85,504  Malicious DLL loaded by benign mspdb80.dll file. 

Table 3 Farseer dropped files  


Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit cyberthreatalliance.org.

Indicators of Compromise: 










































































Farseer Decoy Docs 

06C091BB0630539DEC0D26EB6BFBF9108152E4C5AF27FF649CE84238CD88F81E – Dateline Irrawaddy “Corruption Is Still Rampant Despite The Anti-Corruption Law.pdf

7F091DA89C4412D71AE583481F91A471751A3C0E8DB0037CF31FFD00F4245B5B –New Microsoft Word 文档.doc

source: https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/

Linux: Ubuntu 18.04 LTS will be supported for a full decade

Stacked Ubuntu logo

Mark Shuttleworth has announced that Ubuntu 18.04 will be supported for ten years. Long Term Support releases of Ubuntu usually enjoy just five years of support, so this doubling is highly significant.

Shuttleworth — the founder of Canonical and Ubuntu — made the announcement at the OpenStack Summit in Berlin, and the change is a tactical maneuver that will help Ubuntu better compete against the likes of Red Hat/IBM. It is also an acknowledgement that many industries are working on projects that will not see the light of day for many years, and they need the reassurance of ongoing support from their Linux distro. Ubuntu can now offer this.

Ubuntu 18.04 was released in April of this year, and the new announcement means that it will be supported until 2028. It is a significant and important change for developers working in various fields including hardware, IoT and the cloud, but it is not known whether a similar support cycle will be adopted for future LTS releases.

As reported by ZDNet, Mark Shuttleworth said:

I’m delighted to announce that Ubuntu 18.04 will be supported for a full 10 years. In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IoT where manufacturing lines for example are being deployed that will be in production for at least a decade.

While the support cycle for future releases is not yet known, Shuttleworth said that support for Ubuntu 16.04 — which was due to come to an end in April of 2021 — will also be extended.

deepin 15.8 Linux distribution available for download — replace Windows 10 now!

As more and more people wake up to the fact that Windows 10 is a giant turd lately, computer users are exploring alternatives, such as Linux-based operating systems. First impressions can be everything, so when searching for a distribution, it is important that beginners aren’t scared off by bewildering installers or ugly and confusing interfaces.

Linux “n00bs” often opt for Ubuntu, and while that is a good choice, there are far more pretty and intuitive options these days. One such operating system that I recommend often is deepin. Why? It is drop-dead gorgeous and easy to use. It is guaranteed to delight the user, and its intuitive interface will certainly impress. Today, the newest version of the excellent Linux distro, deepin 15.8, becomes available for download.

ALSO READ: IBM gobbles up open source and Linux darling Red Hat in $34 billion deal

“Compared with deepin 15.7, the ISO size of deepin 15.8 has been reduced by 200MB. The new release is featured with newly designed control center, dock tray and boot theme, as well as improved deepin native applications, hoping to bring users a more beautiful and efficient experience,” says deepin developers.

ALSO READ: System76 Thelio computer is open source, Linux-powered, and made in the USA

The devs further say, “Prior to deepin official release, usually an internal test is implemented by a small number of community users, then we record their feedbacks and fix the bugs. Before this release, we test deepin 15.8 both from system upgrade and ISO installation. Thanks to the members of internal testing team. Their contributions are highly appreciated!”

As is typical with deepin, there are many eye candy changes to be found in the new release, including enhancements to the dock. The grub menu is now prettier, and the file manager has improved icons for the dark theme. It is not all about the superficial, however, as there is now an option for full disk encryption when installing the operating system — a very welcome addition.

The deepin developers share additional bug fixes and improvements below.


  • Optimized background drawing;
  • Optimized dual screen display;
  • Optimized the login process;
  • Optimized the notification animation;
  • Fixed the error message when switching to multi-user while verifying the password;
  • Fixed user login failure;
  • Fixed the setting failure of user’s keyboard layout;
  • Added the verification dialog for network password.


  • Fixed the identification error of connected network;
  • Fixed the high CPU usage of network when hotspot was enabled;
  • Fixed the issue that the network connecting animation did not disappear correctly;
  • Supported dragging and dropping any desktop file to the dock;
  • Recognized whether the preview window can be closed or not;
  • Supported transparency settings (set in Control Center);
  • Supported the new dock protocol (SNI);
  • Added “Show Desktop” button in efficient mode;
  • Redesigned the tray area in fashion mode;
  • Removed hot corner presets which can be customized by users.

Deepin Image Viewer

  • Removed the picture management function;
  • Fixed the distortion of high resolution pictures when zoom out.

Deepin Graphics Driver Manager

  • Fixed the identification error of Bumblebee solution;
  • Fixed the interface scaling problem on HiDPI screen;
  • Used glvnd series of drivers for PRIME solution;
  • Optimized error handling.

Ready to download deepin 15.8 and possibly replace Windows 10 with it? You can grab the ISO here. After you try it, please head to the comments and tell me what you think of the operating system — I suspect you will be pleasantly surprised.

Microsoft admits Cortana is an epic failure by shamelessly selling Amazon Echo Dot

Stunningly, Microsoft lost the smartphone wars despite getting a huge head start with Windows Mobile, and going back even further, Windows CE. Despite having a stranglehold/monopoly on desktop computing, the company made too many missteps with mobile, and ultimately, has been forced to exit the very profitable business. Microsoft even took down Nokia in the process, destroying a once beloved company.
Following smartphones, the next big thing was voice assistants, and Microsoft was ready with Cortana. Unfortunately, unlike Apple and Google who had successful mobile operating systems to push their assistants, Microsoft was once again left trailing behind since consumers passed hard on Windows Phone. Online retailer Amazon came out of nowhere and dominated this field too. Ultimately, Cortana has become a thing that exists solely to annoy Windows 10 users. This is a shame, because Cortana is actually pretty good.

But good things fail too, and when Microsoft announced a partnership with Amazon to add Cortana to Alexa — and vice versa — it was clear that Cortana was doomed. The deal was one-sided in favor of Amazon. Microsoft touted the Harman Kardon Invoke as a last-ditch effort to revive Cortana as a viable alternative to Siri, Google Assistant, and Alexa, but once again, consumers just didn’t want it. Also a shame, as the Invoke was a great piece of hardware.
And now, as a final deathblow to Ms. Cortana, Microsoft is selling the Echo Dot directly. Yes, the Windows-maker is selling a device that outshined its own failed assistant. While it is embarrassing, there is a precedent — Microsoft also sells the Android-powered Samsung Galaxy S9. Yes, the company sells a device running Linux that helped destroy Windows Phone. Sigh. What’s next? Microsoft selling Chromebooks?
Microsoft may claim that selling these devices are a way to push its own services, and there may be some truth to that, but make no mistake — it is still a self-imposed public shaming. Rest in peace, Cortana.