FELIXROOT is a backdoor that has been used to target Ukrainian victims. [1]

ID: S0267
Platforms: Windows

Version: 1.0

Alias Descriptions


Techniques Used

EnterpriseT1059Command-Line InterfaceFELIXROOT opens a remote shell to execute commands on the infected system.[1]
EnterpriseT1043Commonly Used PortFELIXROOT uses port 443 for C2 communications.[1]
EnterpriseT1022Data EncryptedFELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[1]
EnterpriseT1107File DeletionFELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[1]
EnterpriseT1112Modify RegistryFELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.[1]
EnterpriseT1027Obfuscated Files or InformationFELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[1]
EnterpriseT1012Query RegistryFELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information.[1]
EnterpriseT1105Remote File CopyFELIXROOT downloads and uploads files to and from the victim’s machine.[1]
EnterpriseT1085Rundll32FELIXROOT uses Rundll32 for executing the dropper program.[1]
EnterpriseT1064ScriptingFELIXROOT executes batch scripts on the victim’s machine.[1]
EnterpriseT1071Standard Application Layer ProtocolFELIXROOT uses HTTP and HTTPS to communicate with the C2 server.[1]
EnterpriseT1082System Information DiscoveryFELIXROOT collects the victim’s computer name, processor architecture, OS version, and volume serial number.[1]
EnterpriseT1033System Owner/User DiscoveryFELIXROOT collects the username from the victim’s machine.[1]