S0171 Felismus
Felismus is a modular backdoor that has been used by Sowbug. 1 2
| Item | Value |
|---|---|
| ID | S0171 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Felismus uses HTTP for C2.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Felismus uses command line for execution.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Some Felismus samples use a custom method for C2 traffic that utilizes Base64.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.2 |
| enterprise | T1105 | Ingress Tool Transfer | Felismus can download files from remote servers.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Felismus has masqueraded as legitimate Adobe Content Management System files.2 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Felismus checks for processes associated with anti-virus vendors.2 |
| enterprise | T1082 | System Information Discovery | Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.2 |
| enterprise | T1016 | System Network Configuration Discovery | Felismus collects the victim LAN IP address and sends it to the C2 server.2 |
| enterprise | T1033 | System Owner/User Discovery | Felismus collects the current username and sends it to the C2 server.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0054 | Sowbug | 1 |
References
-
Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. ↩↩
-
Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. ↩↩↩↩↩↩↩↩↩↩↩