Felismus

Felismus is a modular backdoor that has been used by Sowbug. [1] [2]

ID: S0171
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Felismus uses command line for execution.[2]
Enterprise T1024 Custom Cryptographic Protocol Some Felismus samples use a custom encryption method for C2 traffic using AES, base64 encoding, and multiple keys.[2]
Enterprise T1036 Masquerading Felismus has masqueraded as legitimate Adobe Content Management System files.[2]
Enterprise T1105 Remote File Copy Felismus can download files from remote servers.[2]
Enterprise T1063 Security Software Discovery Felismus checks for processes associated with anti-virus vendors.[2]
Enterprise T1071 Standard Application Layer Protocol Felismus uses HTTP for C2.[2]
Enterprise T1032 Standard Cryptographic Protocol Some Felismus samples use AES to encrypt C2 traffic.[2]
Enterprise T1082 System Information Discovery Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.[2]
Enterprise T1016 System Network Configuration Discovery Felismus collects the victim LAN IP address and sends it to the C2 server.[2]
Enterprise T1033 System Owner/User Discovery Felismus collects the current username and sends it to the C2 server.[2]

Groups

Groups that use this software:

Sowbug

References