A sophisticated form of Trojan malware allows its highly-skilled creators to secretly take over an infected system — and it comes with self-updating capabilities that enable it to strengthen itself, fix bugs, or change what it looks like in order evade detection.
Once it has infected a system, the Felismus Remote Access Trojan (RAT) is capable of easily gaining new functionalities in order to achieve the goals of the attackers deploying it — espionage, keylogging, traffic analysis, further malware deployment, and more.
Initially discovered by Forcepoint, Felismus allows attackers to take complete control of an infected system, but its purpose remained something of a mystery. Now cybersecurity researchers at AlienVault have unveiled some of what they describe as the “devastating” intentions of this stealthy malware.
Named Felismus because of a reference to Tom & Jerry in its only human-readable encryption key (Felis is Latin for ‘cat’ and Mus is Latin for ‘mouse’), the malware appears to be primarily designed for espionage. While the identity of the victims — and indeed the perpetrators — remains a mystery, its scarcity in the wild suggests that it’s only being used for highly targeted attacks.
Felismus infiltrates systems by posing as an Adobe Content Management System file, with the malicious file presented as “AdobeCMS.exe”. Like many other forms of malware, the distribution method for this is most likely to come in a phishing email campaign, encouraging the victim to download what they’re led to believe is an Adobe update.
Once run on the target system, Felismus camouflages itself as a Windows process by registering a WindowProc function, allowing the window to secretly accept and process messages with the malware’s command-and-control server — all while disguised as normal activity.
This capability to look ‘normal’ makes Felismus particularly dangerous, as it enables the malware to avoid detection by antivirus programmes and the attackers to stealthily execute commands.
While this in itself poses a “significant threat”, says AlienVault, it only scrapes the surface of the Felismus’s dangers. Its modular construction allows it to hide and even extend its nefarious capabilities, essentially allowing the attackers to do anything they want in terms of monitoring, sabotaging, or stealing data.
The highly skilled nature of the threat actors behind Felismus, and their ability to cover their tracks, means that no-one knows their identity or their target. However, the malware doesn’t appear to be linked to any known campaigns.
Researchers have pointed to some clues that could lead to the identification of the attackers, though. Spelling errors in the malware construction indicate that English may not be the perpetrators’ first language, while the antivirus processes it’s built to detect feature vendors that predominantly operate in China.
Felismus was only discovered recently, but researchers say it appears to have been active for at least six months. The fact that it has been carefully constructed to avoid discovery has helped it remain hidden and carry out its criminal operations — whatever they may be, or may become.