Felismus

Felismus is a modular backdoor that has been used by Sowbug. [1] [2]

ID: S0171
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceFelismus uses command line for execution.[2]
EnterpriseT1024Custom Cryptographic ProtocolSome Felismus samples use a custom encryption method for C2 traffic using AES, base64 encoding, and multiple keys.[2]
EnterpriseT1036MasqueradingFelismus has masqueraded as legitimate Adobe Content Management System files.[2]
EnterpriseT1105Remote File CopyFelismus can download files from remote servers.[2]
EnterpriseT1063Security Software DiscoveryFelismus checks for processes associated with anti-virus vendors.[2]
EnterpriseT1071Standard Application Layer ProtocolFelismus uses HTTP for C2.[2]
EnterpriseT1032Standard Cryptographic ProtocolSome Felismus samples use AES to encrypt C2 traffic.[2]
EnterpriseT1082System Information DiscoveryFelismus collects the system information, including hostname and OS version, and sends it to the C2 server.[2]
EnterpriseT1016System Network Configuration DiscoveryFelismus collects the victim LAN IP address and sends it to the C2 server.[2]
EnterpriseT1033System Owner/User DiscoveryFelismus collects the current username and sends it to the C2 server.[2]

Groups

Groups that use this software:

Sowbug

References