Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Forcepoint spotted the modular Felismus RAT, it appears the work of skilled professionals

Malware researchers at Forcepoint have discovered a new modular malicious code, dubbed Felismus RAT, that appears the work of skilled professionals. Malware researchers at Forcepoint have discovered a new modular malicious code dubbed Felismus RAT. The malware has been used in highly targeted campaigns, experts believe the Felismus RAT is the work of skilled professionals. […]

Forcepoint spotted the modular Felismus RAT, it appears the work of skilled professionals

Malware researchers at Forcepoint have discovered a new modular malicious code, dubbed Felismus RAT, that appears the work of skilled professionals.

Malware researchers at Forcepoint have discovered a new modular malicious code dubbed Felismus RAT. The malware has been used in highly targeted campaigns, experts believe the Felismus RAT is the work of skilled professionals.

The malware implements sophisticated evasion technique and anti-analysis features (i.e. Advanced encryption of network communications, the malware uses at least three separate encryption methods depending on the type of message), Forcepoint experts noticed a good ‘operational hygiene’ of the threat actor, it avoided re-use of email addresses and other traceable artifacts for its campaigns.

The Felismus RAT implements a self-updating capability, it is currently able to evade a large number of antivirus solutions. The malicious code implements the typical features of RATs, such as file upload, file download, file execution, and shell (cmd.exe) command execution.

The malicious code can also create text files on the infected machine.

The researchers started the investigation on the Felismus RAT working on available samples feature filenames mimicking that of Adobe’s Content Management System (AdobeCMS.exe). These samples were detected several weeks ago, but the cyber attacks leveraging this malware can be dated six months before.

“The primary samples examined appear in the wild with filenames mimicking that of Adobe’s Content Management System [1] and offers a range of commands typical of Remote Access Tools: file upload, file download, file execution, and command execution.” reads the analysis published by Forcepoint. “Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted. Furthermore, as discussed in this analysis, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts similarly suggests the work of coordinated professionals.”

The experts are still investigating the attacks leveraging the RAT that is believed to be part of a larger campaign.

The command and control (C&C) infrastructure appears still active.

“Visiting cosecman[]com reveals what appears to be a copy of the WordPress.org website, albeit with a stylesheet error in all browsers tested.” continues the analysis.

Felismus RAT

The researchers noticed the threat actors did not reuse the email addresses to register the domains involved in their campaigns.

“The malware analysed appears to be both modular and well-written, strongly suggesting that skilled attackers are responsible, while its apparent scarcity in the wild implies that it is likely highly targeted.”concluded the analysis. “On top of this, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts suggests coordinated, professional actors and, at the time of writing, there is little to link it with any known campaigns (APT-linked or otherwise),”

Some typo errors in the folder name and in the function name ‘GetCurrtenUserName’ suggest that the authors might not be Anglo-Saxons.

The researchers discovered that the available malware samples appear to have been compiled using a December 2014 version of the open-source TDM-GCC compiler suite.

The researchers added that one of the C&C IP addresses appeared to selectively block one of the security firm’s exit IPs during research.

“If the other modules and capabilities associated with the malware remain a matter of speculation, so too do the intended target(s). Of the five domains hosted on the C&C IP address identified within this post, three – cosecman[]com, nasomember[]com, and unmailhome[]com – have potential associations with the financial services sector; however, under this theory the naming of the remaining two domains – maibars[]com and mastalib[]com – remain unexplained,” Forcepoint concludes.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Felismus RAT, malware)