The malware’s name when parsed out, “Felis” and “mus,” mean cat and mouse respectively in Latin.
The malware’s name when parsed out, “Felis” and “mus,” mean cat and mouse respectively in Latin.

Forcepoint Lab spotted a remote access trojan (RAT) dubbed Felismus which has a modular construction that allows it to hide and or extend its capabilities.

The malware's name when parsed out, “Felis” and “mus,” means cat and mouse respectively in Latin.

AlienVault researchers further examined the RAT and described the malware as “well-written” and said once compromised, attackers have the ability to install keyloggers, network traffic analyzers, tools to automate exploration of the system, and even update self-update the trojan, according to a recent report by AlienVault  Product Marketing Manager Julia Kisielius.

“What makes Felismus particularly dangerous is its modular construction, which can help it hide or extend its capabilities,” researchers said in the report. “Once Felismus has compromised a system, an attacker can easily add a new functional module designed to accomplish whatever they want within the environment.”

The RAT's scarcity leads researchers to believe Felismus plays a role in a targeted campaign and the intent of the malware remains murky.

Researchers said the trojan infiltrates systems by posing as an Adobe Content Management System file and said that a malicious actor might fool unsuspecting users into downloading the RAT by presenting them with an update notice through a compromised ad network or phishing email campaign that reads, “To view this media content, click here to update to the latest version of Adobe.”

The RAT is also difficult to analyze and detect as it sends encrypted commands through the invisible window to a domain, disguising the activity as normal browsing and shopping behavior, researchers said in the report.

“Because the activity is designed to look like normal, whitelisted behavior, antivirus products are unlikely to pick it up,” researchers said in the report. “Although the contents of these commands have not been deciphered, they appear to be related to the malware's setup process.”

Researchers also said the malware's executables and DLL files are written in a way that makes analysis difficult and that most communications with its C2 server are twice-encrypted—using different keys.

The malware also appears to detect processes associated with popular antivirus programs and researchers said the threat actors behind the malware “care not to reuse identifiers like email addresses" which means there's no evidence linking it to known campaigns.

Despite the malware's C2 infrastructures being active, researchers have gained little insight into how the malware is currently being used.