MENUMenuIcon OUR STORY

SLASHNEXT LABS

THE KNOWLEDGE CENTER

BLOG

VIEW CATEGORIESHIDE CATEGORIES
Icon

Felismus Malware

April 4th 2017

Felismus Malware

Felismus is a sophisticated Remote Access Trojan (RAT) and, to date, has been used in highly targeted campaigns. RATs allow an attacker to access the infected machine in much the same way one would access a remote machine using TeamViewer, WebEx, or Windows Remote Terminal, however without the infected user’s knowledge or consent.

Felismus implements sophisticated evasion techniques and anti-analysis features including advanced encryption of network communications using at least three separate encryption methods depending on the type of message. It has so far avoided re-use of email addresses and other traceable artifacts for its campaigns.

The first available samples of Felismus, which emerged several weeks ago, feature filenames mimicking Adobe’s Content Management System (AdobeCMS.exe). The attackers behind the malware and their targets remain opaque for the time being, but the RAT’s libraries appear to be actively exploited and the attacks discovered thus far are believed to be part of a larger campaign.

Analysis
At the time of publishing the following sample:
e48822e0c5ceae5377100053047e78f015b1ec2372f349eaa9e98f25ba33e4da
is detected by 31 / 61 anti-viruses on VirusTotal.
The sample creates the following DLL files:

File Name                  File Hash

Converts.dll              E326F756F871FF6F939CECF898D84100

HTTPDLL.dll            DE587112A56889FA5C5AB2722D7EFAB6

The DLL files export the functions listed below:

 

When run it creates an invisible window and registers a WindowProc function with the invisible window. The WindowProc function contains the main functionality of the malware. The original process sends messages to invisible window to perform following:

  • Download a file from a remote server
  • Create a text file on the local machine
  • Execute a file
  • Execute a shell command and save the results to disk
  • Upload the results of a previously executed shell command to a remote server

Once installed, the Felismus malware masquerades as a Microsoft product.

Network Footprints:

The malware makes a series of HTTP requests to this CnC: www[dot]cosecman[dot]com

The requests are designed to look like normal shopping activity, but in fact the malware sends system information (including hostname, username, systemOS, LanIP, RunPath and WorkPath) in encrypted form within these requests.

The file named ‘data’ appears to be used to store the encrypted value returned by the C2 in response to the first HTTP GET request the malware makes.

The log files generated by the malware consist only of ISO-format date/time stamps and a three letter log code.

Only three unique codes are generated during execution:

2017-04-03 09:48:51 701

2017-04-03 09:48:53 724

2017-04-03 09:48:53 800

These values are used by Felismus in callback communication.

INDICATORS OF COMPROMISE

SHA256

AdobeCMS.exe : e48822e0c5ceae5377100053047e78f015b1ec2372f349eaa9e98f25ba33e4da

HTTPDLL.dll : 6d36d346865829e04b54b433d0ee9c07aa3df9ee07285924aef7abc92972ba3d

converts.dll : 6fc68860601f4d2d2c919a7e711bc37b1c4b3ccdaead7835879a9e4d40cddce7

CNC Domains & URLs

hxxp://www[.]cosecman[.]com/notice/news/items.php
hxxp://www[.]cosecman[.]com/notice/items/products.php

CNC IP Addresses

103.43.18.105:80

Dropped Files

AdobeCMS.exe
%APPDATA%/Roaming/Microsoft/Security/httpdll.dll
%APPDATA%/Roaming/Microsoft/Security/converts.dll
%APPDATA%/Roaming/Microsoft/Security/logs.txt
%APPDATA%/Roaming/Microsoft/Security/data

Felismus is one of the many off-the-shelf hacking toolkits available on the DarkWeb that are making it easier for cyber criminals with little technical knowledge to conduct sophisticated cyber crimes.  These toolkits when combined with so-called FUD (Fully Undetectable) Tools can generate polymorphic variants of a hacking toolkit on the fly —  making it easy for bad guys to evade Anti-Virus and Sandbox based detection technologies.