After having disappeared for a few months, the FELIXROOT, a backdoor that is capable of dropping additional malware and executing espionage was discovered in a new malspam campaign. Weaponized lure documents that claim to have seminar info about environmental protection efforts are being used in this particular campaign.
The FELIXROOT is comprised of a variety of functions. It can essentially use the Windows registry and Windows Management Instrumentation or WMI to fingerprint a system that it targets. The backdoor can also both drop and execute files and batch script. Other abilities of the FELIXROOT include exfiltration of information and remote shell execution.
FireEye stated that the documents in this new campaign are in Russian and they effectively exploit two specific older MicrosoftOffice vulnerabilities. An attachment exploits CVE-2017-0199 and then a 2nd stage payload is downloaded. After that, the file that was downloaded is then weaponized with CVE-2017-1182 and a backdoor binary is then both dropped and executed directly onto the machine of the unassuming victim.
In their posting, FireEye researchers stated this about the campaign:
“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function.”
Whenever an unsuspecting user opens up a document that had an exploit embedded into it, CVE-2017-0199 essentially lets a malicious actor both download and execute a Visual Basic script that has PowerShell commands. For those hackers who are seeking an initial compromise route into machines that run Windows, it happens to be the favorite target.
Also, CVE-2017-11882 is essentially a remote code execution vulnerability. It enables hackers to be able to run arbitrary code in the current user’s context. A hacker could actually gain control of the infected system if that user happens to be logged on as an admin or with admin usage rights. There are patches available for both of these backdoors, however.
FELIXROOT is essentially a hazardous threat. Thankfully, so far, it seems that the backdoor is only being used sparingly. According to FireEye, September of 2017 was the last time the FELIXROOT was actually seen in action. Back then, it was utilized a payload and the campaign it was used in targeted Ukrainians.
Comments, anyone? Please leave them below.