After a few months of absence, the FELIXROOT backdoor malware has been spotted in a fresh malspam campaign. The campaign uses weaponized lure documents claiming to contain seminar information on environmental protection efforts.
This backdoor has a range of functions, including the ability to fingerprint a targeted system via Windows Management Instrumentation (WMI) and the Windows registry; the ability to drop and execute files and batch script; remote shell execution; and information exfiltration.
According to FireEye, the Russian-language documents in the new campaign exploit a pair of older Microsoft Office vulnerabilities. First, the attachment exploits CVE-2017-0199 to download a second-stage payload; then, the downloaded file is weaponized with CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.
“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,” FireEye researchers explained, in a posting on the campaign on Thursday.
CVE-2017-0199 allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. It’s a favorite target for hackers looking for an initial compromise route into Windows machines.
CVE-2017-11882 meanwhile is a remote code execution vulnerability that allows attackers to run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take total control of the affected system.
Patches for both are available, but the vulnerabilities “are two of the more commonly exploited vulnerabilities that we are currently seeing,” FireEye noted. “Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected.”
Upon execution, the backdoor sleeps for 10 minutes, then proceeds with an initial system triage before establishing command-and-control (C2) network communications. It queries the Windows API to get the computer name, user name, volume serial number, Windows version, processor architecture and so on.
FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols, FireEye noted. Data sent over the network is encrypted with AES, converted into Base64 and sent to the C2 server.
Interestingly, the embedded FELIXROOT backdoor component itself is encrypted using custom encryption that uses XOR with a 4-byte key; the file is decrypted and loaded directly in memory without touching the disk.
Having gained a foothold on the target system, FELIXROOT runs through a set of commands for its specific tasks, sleeping for one minute between each. After all of them are completed, the malware is coded to break the loop, sending the termination buffer back, and then clears all traces of its presence from the victim machine.
It’s a dangerous threat but appears to have been used sparingly so far. FireEye said that FELIXROOT was last seen in September 2017, when it was used as a payload in a campaign targeting Ukrainians. It involved attachments purporting to be Ukrainian bank documents, which contained malicious macros.