Felismus is a sophisticated Remote Access Trojan (RAT) and, to date, has been used in highly targeted campaigns. RATs allow an attacker to access the infected machine in much the same way one would access a remote machine using TeamViewer, WebEx, or Windows Remote Terminal, however without the infected user’s knowledge or consent.
Felismus implements sophisticated evasion techniques and anti-analysis features including advanced encryption of network communications using at least three separate encryption methods depending on the type of message. It has so far avoided re-use of email addresses and other traceable artifacts for its campaigns.
The first available samples of Felismus, which emerged several weeks ago, feature filenames mimicking Adobe’s Content Management System (AdobeCMS.exe). The attackers behind the malware and their targets remain opaque for the time being, but the RAT’s libraries appear to be actively exploited and the attacks discovered thus far are believed to be part of a larger campaign.
At the time of publishing the following sample:
is detected by 31 / 61 anti-viruses on VirusTotal.
The sample creates the following DLL files:
File Name File Hash
The DLL files export the functions listed below:
When run it creates an invisible window and registers a WindowProc function with the invisible window. The WindowProc function contains the main functionality of the malware. The original process sends messages to invisible window to perform following:
- Download a file from a remote server
- Create a text file on the local machine
- Execute a file
- Execute a shell command and save the results to disk
- Upload the results of a previously executed shell command to a remote server
Once installed, the Felismus malware masquerades as a Microsoft product.
The malware makes a series of HTTP requests to this CnC: www[dot]cosecman[dot]com
The requests are designed to look like normal shopping activity, but in fact the malware sends system information (including hostname, username, systemOS, LanIP, RunPath and WorkPath) in encrypted form within these requests.
The file named ‘data’ appears to be used to store the encrypted value returned by the C2 in response to the first HTTP GET request the malware makes.
The log files generated by the malware consist only of ISO-format date/time stamps and a three letter log code.
Only three unique codes are generated during execution:
2017-04-03 09:48:51 701
2017-04-03 09:48:53 724
2017-04-03 09:48:53 800
These values are used by Felismus in callback communication.
INDICATORS OF COMPROMISE
AdobeCMS.exe : e48822e0c5ceae5377100053047e78f015b1ec2372f349eaa9e98f25ba33e4da
HTTPDLL.dll : 6d36d346865829e04b54b433d0ee9c07aa3df9ee07285924aef7abc92972ba3d
converts.dll : 6fc68860601f4d2d2c919a7e711bc37b1c4b3ccdaead7835879a9e4d40cddce7
CNC Domains & URLs
CNC IP Addresses
Felismus is one of the many off-the-shelf hacking toolkits available on the DarkWeb that are making it easier for cyber criminals with little technical knowledge to conduct sophisticated cyber crimes. These toolkits when combined with so-called FUD (Fully Undetectable) Tools can generate polymorphic variants of a hacking toolkit on the fly — making it easy for bad guys to evade Anti-Virus and Sandbox based detection technologies.