After a few months of absence, FELIXROOT backdoor is used for espionage and additional malware dropping in a fresh malspam campaign
This new campaign uses weaponized documents that are posing as a seminar for environment protection.
After running a malware analysis on it researchers discovered that this backdoor has a strong range of functions, which include the ability to fingerprint a system via Windows Management Instrumentation (WMI) and the Windows registry; the ability to drop and execute files and batch script; remote shell execution; and information exfiltration.
The infected documents in this new campaign are written in Russian and their purpose is to exploit some Microsoft Office vulnerabilities. First, the weaponized files exploit CVE-2017-0199 to download a second-stage payload; then, the downloaded file is weaponized with CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.
Nowadays your devices have all the information a hacker needs to launch further attacks on you; In order to stay away from any threats like this, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running.
If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
CVE-2017-0199 is used by the hackers to download and execute a Visual Basic script embedded with PowerShell commands.
Meanwhile, CVE-2017-11882 is a remote code execution vulnerability that allows attackers to run arbitrary code and If the current victim is logged on with administrative user rights, the hacker will take total control of their device.
Patches for both are available, but the vulnerabilities are two of the more commonly exploited vulnerabilities and hackers will never stop using these vulnerabilities in their cyberattacks anytime soon.
When is run, the backdoor sleeps for 10 minutes, then proceeds with an initial system triage before establishing communications with the command-and-control (C&C) server. After this, it leverages Windows API to get the computer name, username, volume serial number, Windows version, processor architecture and many other pieces of information.
FELIXROOT communicates with the C&C server via HTTP and HTTPS POST protocols. All its traffic is encrypted with AES, which is converted into Base64 and sent to the C2 server.
Interesting is the fact that the embedded FELIXROOT backdoor component is encrypted using XOR with a 4-byte key; meaning that the file is decrypted and loaded directly in memory without touching the disk.
After infecting the targeted system, FELIXROOT runs through a set of commands for its specific tasks, sleeping for one minute between each. After all of them are completed it clears all of its presence traces from the victim machine.
Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.