Felixroot Backdoor was first spotted in September 2017 in Ukraine spreading through pernicious banking documents with macros downloading the back door of C&C server. Felixroot Backdoor malware campaign has resurfaced using Microsft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to compromise the victim’s windows computers.
It is being distributed by the file name “Seminal.rtf” claiming to provide information on a seminar on environment protection efforts. Researchers reveal that these documents are written in Russian. This document exploits the vulnerability CVE-2017-0199 flaw to download a second stage payload that triggers the CVE-2017-11882 vulnerability to drop and execute the backdoor binary file.
How it gets activated?
The downloaded Seminar.rtf contains an embedded binary file that is dropped in %temp% via Equation Editor Executable. This file drops the executable at %temp% (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9), which is used to drop and execute the FELIXROOT dropper component (MD5: 92F63B1227A6B37335495F9BCB939EA2).
The dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed FELIXROOT dropper component in the Portable Executable (PE) binary overlay section. When it is executed, it creates two files: an LNK file that points to %system32%\rundll32.exe, and the FELIXROOT loader component. The LNK file is moved to the startup directory. Figure 5 shows the command in the LNK file to execute the loader component of FELIXROOT.
The embedded backdoor component is encrypted using custom encryption. The file is decrypted and loaded directly in memory without touching the disk.
Once the execution is complete, it steals all private information from the compromised machine. Then the Felixroot backdoor stops the loop execution and finally it wipes the footprints off the infected machine.