This backdoor can be used for espionage and for dropping additional malware.
After a few months of absence, the FELIXROOT backdoor malware has been spotted in a fresh malspam campaign. The campaign uses weaponized lure documents claiming to contain seminar information on environmental protection efforts.
This backdoor has a range of functions, including the ability to fingerprint a targeted system via Windows Management Instrumentation (WMI) and the Windows registry; the ability to drop and execute files and batch script; remote shell execution; and information exfiltration.
According to FireEye, the Russian-language documents in the new campaign exploit a pair of older Microsoft Office vulnerabilities. First, the attachment exploits CVE-2017-0199 to download a second-stage payload; then, the downloaded file is weaponized with CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.
“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,” FireEye researchers explained, in a
posting on the campaign on Thursday.
