1. Home
  2. Software
  3. FELIXROOT

FELIXROOT

FELIXROOT is a backdoor that has been used to target Ukrainian victims. [1]

ID: S0267
Associated Software: GreyEnergy mini
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 17 October 2018
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
GreyEnergy mini

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

FELIXROOT uses WMI to query the Windows Registry.[2]
Enterprise T1112 修改注册表

FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

FELIXROOT adds a shortcut file to the startup folder for persistence.[2]
.009 启动或登录自动启动执行: Shortcut Modification

FELIXROOT creates a .LNK file for persistence.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.[1][2]
Enterprise T1560 归档收集数据

FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[1]
Enterprise T1012 查询注册表

FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.[1][2]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[1][2]
Enterprise T1070 .004 移除指标: File Deletion

FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

FELIXROOT uses Rundll32 for executing the dropper program.[1][2]
Enterprise T1082 系统信息发现

FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.[1][2]
Enterprise T1033 系统所有者/用户发现

FELIXROOT collects the username from the victim’s machine.[1][2]
Enterprise T1124 系统时间发现

FELIXROOT gathers the time zone information from the victim’s machine.[2]
Enterprise T1016 系统网络配置发现

FELIXROOT collects information about the network including the IP address and DHCP server.[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

FELIXROOT checks for installed security software like antivirus and firewall.[2]
Enterprise T1105 输入工具传输

FELIXROOT downloads and uploads files to and from the victim’s machine.[1][2]
Enterprise T1057 进程发现

FELIXROOT collects a list of running processes.[2]

References

  1. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  1. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.