Forcepoint researchers have released their first take on a new malware family nicknamed Felismus that is believed at this time to be used only against very specific targets.
The cybersecurity firm detected the malware using its Open Source intelligence threat intelligence processing techniques within its special investigations division, Carl Leonard, Forcepoint’s principal security analyst, told SC Media, adding that it’s stealthy nature enabled it to stay hidden for many months.
“Felismus is effective at remaining undetected – it sailed under radars without samples arising for 6 months. Such a threat can render an organisation’s defences inadequate and provide a platform for data theft and continued backdoor,” he said.
Forcepoint’s Luke Somerville and Abel Toro took a long look at Felisums, the name being inspired by the Tom & Jerry encryption key ‘Tom&Jerry@14here’ used by the malware, and found it is used to deposit a remote access tool capable of all the typical file upload, download and command execution actions. The two noted the malware seems brand new to the market as it uses previously undocumented and unseen command and control domains and new IP addresses, which they thought odd since other indicators, such as compilation timestamps, show the campaign has been active for six months.
“Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted,” they wrote.
The bad guys are also expert at covering their tracks with their identities and, even the ultimate purpose and targets of the malware, being unknown.
The excellent manner in which the modular and self-updating malware is constructed lead Somerville and Toro to believe it was created by a skilled group of attackers who are also actively maintaining the software. Felsimus is designed to avoid a wide variety of antivirus products and its executables and DLLs were written to hinder cyber researchers.
A couple of errors or oversights were picked up.
“The unusual use of the folder name ‘datas’ and the apparent typo in the function name ‘GetCurrtenUserName’ stand out. While the latter kind of error is not necessarily unusual in malware samples, it does stand out in what is otherwise a well-written piece of software,” they wrote, adding that “datas” may indicate the creator’s first language is not English.
Forcepoint concluded that the small amount of information it was able to find on Felsimus just represents “thin end of the wedge” as far as this campaign is concerned.