Register to stream ATT&CKcon 2.0 October 29-30

Felismus

Felismus is a modular backdoor that has been used by Sowbug. [1] [2]

ID: S0171
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Felismus uses command line for execution. [2]
Enterprise T1024 Custom Cryptographic Protocol Some Felismus samples use a custom encryption method for C2 traffic using AES, base64 encoding, and multiple keys. [2]
Enterprise T1036 Masquerading Felismus has masqueraded as legitimate Adobe Content Management System files. [2]
Enterprise T1105 Remote File Copy Felismus can download files from remote servers. [2]
Enterprise T1063 Security Software Discovery Felismus checks for processes associated with anti-virus vendors. [2]
Enterprise T1071 Standard Application Layer Protocol Felismus uses HTTP for C2. [2]
Enterprise T1032 Standard Cryptographic Protocol Some Felismus samples use AES to encrypt C2 traffic. [2]
Enterprise T1082 System Information Discovery Felismus collects the system information, including hostname and OS version, and sends it to the C2 server. [2]
Enterprise T1016 System Network Configuration Discovery Felismus collects the victim LAN IP address and sends it to the C2 server. [2]
Enterprise T1033 System Owner/User Discovery Felismus collects the current username and sends it to the C2 server. [2]

Groups That Use This Software

ID Name References
G0054 Sowbug [1]

References