1. Home
  2. Software
  3. Felismus

Felismus

Felismus is a modular backdoor that has been used by Sowbug. [1] [2]

ID: S0171
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Felismus has masqueraded as legitimate Adobe Content Management System files.[3]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Felismus uses command line for execution.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

Felismus uses HTTP for C2.[2]
Enterprise T1132 .001 数据编码: Standard Encoding

Some Felismus samples use a custom method for C2 traffic that utilizes Base64.[2]
Enterprise T1082 系统信息发现

Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.[2]
Enterprise T1033 系统所有者/用户发现

Felismus collects the current username and sends it to the C2 server.[2]
Enterprise T1016 系统网络配置发现

Felismus collects the victim LAN IP address and sends it to the C2 server.[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

Felismus checks for processes associated with anti-virus vendors.[2]
Enterprise T1105 输入工具传输

Felismus can download files from remote servers.[2]

Groups That Use This Software

ID Name References
G0054 Sowbug

[1]

References

  1. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  2. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  1. Julia Kisielius. (2017, April 25). The Felismus RAT: Powerful Threat, Mysterious Purpose. Retrieved January 10, 2024.