Malware researchers at Forcepoint have discovered a new modular malicious code dubbed Felismus RAT. The malware has been used in highly targeted campaigns, experts believe the Felismus RAT is the work of skilled professionals.
The malware implements sophisticated evasion technique and anti-analysis features (i.e. Advanced encryption of network communications, the malware uses at least three separate encryption methods depending on the type of message), Forcepoint experts noticed a good ‘operational hygiene’ of the threat actor, it avoided re-use of email addresses and other traceable artifacts for its campaigns.
The Felismus RAT implements a self-updating capability, it is currently able to evade a large number of antivirus solutions. The malicious code implements the typical features of RATs, such as file upload, file download, file execution, and shell (cmd.exe) command execution.
The malicious code can also create text files on the infected machine.
The researchers started the investigation on the Felismus RAT working on available samples feature filenames mimicking that of Adobe’s Content Management System (AdobeCMS.exe). These samples were detected several weeks ago, but the cyber attacks leveraging this malware can be dated six months before.
“The primary samples examined appear in the wild with filenames mimicking that of Adobe’s Content Management System  and offers a range of commands typical of Remote Access Tools: file upload, file download, file execution, and command execution.” reads the analysis published by Forcepoint. “Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted. Furthermore, as discussed in this analysis, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts similarly suggests the work of coordinated professionals.”
The experts are still investigating the attacks leveraging the RAT that is believed to be part of a larger campaign.
The command and control (C&C) infrastructure appears still active.
“Visiting cosecmancom reveals what appears to be a copy of the WordPress.org website, albeit with a stylesheet error in all browsers tested.” continues the analysis.
The researchers noticed the threat actors did not reuse the email addresses to register the domains involved in their campaigns.
“The malware analysed appears to be both modular and well-written, strongly suggesting that skilled attackers are responsible, while its apparent scarcity in the wild implies that it is likely highly targeted.”concluded the analysis. “On top of this, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts suggests coordinated, professional actors and, at the time of writing, there is little to link it with any known campaigns (APT-linked or otherwise),”
Some typo errors in the folder name and in the function name ‘GetCurrtenUserName’ suggest that the authors might not be Anglo-Saxons.
The researchers discovered that the available malware samples appear to have been compiled using a December 2014 version of the open-source TDM-GCC compiler suite.
The researchers added that one of the C&C IP addresses appeared to selectively block one of the security firm’s exit IPs during research.
“If the other modules and capabilities associated with the malware remain a matter of speculation, so too do the intended target(s). Of the five domains hosted on the C&C IP address identified within this post, three – cosecmancom, nasomembercom, and unmailhomecom – have potential associations with the financial services sector; however, under this theory the naming of the remaining two domains – maibarscom and mastalibcom – remain unexplained,” Forcepoint concludes.
(Security Affairs – Felismus RAT, malware)