Skip to content

S0171 Felismus

Felismus is a modular backdoor that has been used by Sowbug. 1 2

Item Value
ID S0171
Associated Names
Type MALWARE
Version 1.1
Created 16 January 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Felismus uses HTTP for C2.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Felismus uses command line for execution.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Some Felismus samples use a custom method for C2 traffic that utilizes Base64.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.2
enterprise T1105 Ingress Tool Transfer Felismus can download files from remote servers.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Felismus has masqueraded as legitimate Adobe Content Management System files.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Felismus checks for processes associated with anti-virus vendors.2
enterprise T1082 System Information Discovery Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.2
enterprise T1016 System Network Configuration Discovery Felismus collects the victim LAN IP address and sends it to the C2 server.2
enterprise T1033 System Owner/User Discovery Felismus collects the current username and sends it to the C2 server.2

Groups That Use This Software

ID Name References
G0054 Sowbug 1

References