{
	"id": "408e3d37-60fa-48c8-9792-cf9747483aa9",
	"created_at": "2026-04-06T00:16:39.738625Z",
	"updated_at": "2026-04-10T03:22:49.856708Z",
	"deleted_at": null,
	"sha1_hash": "40eff36404ceb315e7470b8373bb6214bf60b3b4",
	"title": "Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1369066,
	"plain_text": "Microsoft Office Vulnerabilities Used to Distribute FELIXROOT\r\nBackdoor in Recent Campaign\r\nBy by Swapnil Patil\r\nPublished: 2018-07-26 · Archived: 2026-04-05 23:22:13 UTC\r\nThreat Research\r\nJuly 26, 2018 |\r\nCampaign Details\r\nIn September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians\r\nand reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which\r\ncontained a macro that downloaded a FELIXROOT payload, being distributed to targets.\r\nFireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This\r\ntime, weaponized lure documents claiming to contain seminar information on environmental protection were\r\nobserved exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and\r\nexecute the backdoor binary on the victim’s machine. Figure 1 shows the attack overview.\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 1 of 13\n\nFigure 1: Attack overview\r\nThe malware is distributed via Russian-language documents (Figure 2) that are weaponized with known Microsoft\r\nOffice vulnerabilities. In this campaign, we observed threat actors exploiting CVE-2017-0199 and CVE-2017-\r\n11882 to distribute malware. The malicious document used is named “Seminar.rtf”. It exploits CVE-2017-0199 to\r\ndownload the second stage payload from 193.23.181.151 (Figure 3). The downloaded file is weaponized with\r\nCVE-2017-11882.\r\nFigure 2: Lure documents\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 2 of 13\n\nFigure 3: Hex dump of embedded URL in Seminar.rtf\r\nFigure 4 shows the first payload trying to download the second stage Seminar.rtf.\r\nFigure 4: Downloading second stage Seminar.rtf\r\nThe downloaded Seminar.rtf contains an embedded binary file that is dropped in %temp% via Equation Editor\r\nexecutable. This file drops the executable at %temp% (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9), which\r\nis used to drop and execute the FELIXROOT dropper component (MD5:\r\n92F63B1227A6B37335495F9BCB939EA2).\r\nThe dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed\r\nFELIXROOT dropper component in the Portable Executable (PE) binary overlay section. When it is executed, it\r\ncreates two files: an LNK file that points to %system32%\\rundll32.exe, and the FELIXROOT loader component.\r\nThe LNK file is moved to the startup directory. Figure 5 shows the command in the LNK file to execute the loader\r\ncomponent of FELIXROOT.\r\nFigure 5: Command in LNK file\r\nThe embedded backdoor component is encrypted using custom encryption. The file is decrypted and loaded\r\ndirectly in memory without touching the disk.\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 3 of 13\n\nTechnical Details\r\nAfter successful exploitation, the dropper component executes and drops the loader component. The loader\r\ncomponent is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single\r\nexported function.\r\nStrings in the backdoor are encrypted using a custom algorithm that uses XOR with a 4-byte key. Decryption logic\r\nused for ASCII strings is shown in Figure 6.\r\nFigure 6: ASCII decryption routine\r\nDecryption logic used for Unicode strings is shown in Figure 7.\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 4 of 13\n\nFigure 7: Unicode decryption routine\r\nUpon execution, a new thread is created where the backdoor sleeps for 10 minutes. Then it checks to see if it was\r\nlaunched by RUNDLL32.exe along with parameter #1. If the malware was launched by RUNDLL32.exe with\r\nparameter #1, then it proceeds with initial system triage before doing command and control (C2) network\r\ncommunications. Initial triage begins with connecting to Windows Management Instrumentation (WMI) via the\r\n“ROOT\\CIMV2” namespace.\r\nFigure 8 shows the full operation.\r\nFigure 8: Initial execution process of backdoor component\r\nTable 1 shows the classes referred from the “ROOT\\CIMV2” and “Root\\SecurityCenter2” namespace.\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 5 of 13\n\nWMI Namespaces\r\nWin32_OperatingSystem\r\nWin32_ComputerSystem\r\nAntiSpywareProduct\r\nAntiVirusProduct\r\nFirewallProduct\r\nWin32_UserAccount\r\nWin32_NetworkAdapter\r\nWin32_Process\r\nTable 1: Referred classes\r\nWMI Queries and Registry Keys Used\r\n1. SELECT Caption FROM Win32_TimeZone\r\n2. SELECT CSNAME, Caption, CSDVersion, Locale, RegisteredUser FROM Win32_OperatingSystem\r\n3. SELECT Manufacturer, Model, SystemType, DomainRole, Domain, UserName FROM\r\nWin32_ComputerSystem\r\nRegistry entries are read for potential administration escalation and proxy information.\r\n1. Registry key “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System ” is queried to check\r\nthe values ConsentPromptBehaviorAdmin and PromptOnSecureDesktop.\r\n2. Registry key “Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\” is queried to gather\r\nproxy information with values ProxyEnable, Proxy: (NO), Proxy, ProxyServer.\r\nTable 2 shows FELIXROOT backdoor capabilities. Each command is performed in an individual thread.\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 6 of 13\n\nCommand Description\r\n0x31 Fingerprint System via WMI and Registry\r\n0x32 Drop File and execute\r\n0x33 Remote Shell\r\n0x34 Terminate connection with C2\r\n0x35 Download and run batch script\r\n0x36 Download file on machine\r\n0x37 Upload File\r\nTable 2: FELIXROOT backdoor commands\r\nFigure 9 shows the log message decrypted from memory using the same mechanism shown in Figure 6 and Figure\r\n7 for every command executed.\r\nFigure 9: Command logs after execution\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 7 of 13\n\nNetwork Communications\r\nFELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is\r\nencrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to\r\nthe C2 server (Figure 10).\r\nFigure 10: POST request to C2 server\r\nAll other fields, such as User-Agents, Content-Type, and Accept-Encoding, that are part of the request / response\r\nheader are XOR encrypted and present in the malware. The malware queries the Windows API to get the computer\r\nname, user name, volume serial number, Windows version, processor architecture and two additional values, which\r\nare “1.3” and “KdfrJKN”. The value “KdfrJKN” may be used as identification for the campaign and is found in the\r\nJOSN object in the file (Figure 11).\r\nFigure 11: Host information used in every communication\r\nThe FELIXROOT backdoor has three parameters for C2 communication. Each parameter provides information\r\nabout the task performed on the target machine (Table 3).\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 8 of 13\n\nParameter Description\r\n‘u=’\r\nThis parameter contains target machine information in the following format:\r\n\u003cComputer Name\u003e, \u003cUser Name\u003e, \u003cWindows Versions\u003e, \u003cProcessor Architecture\u003e, \u003c1.3\u003e, \u003c\r\nKdfrJKN \u003e, \u003cVolume Serial Number\u003e\r\n‘\u0026h=’ This parameter includes the information about the command executed and its results.\r\n‘\u0026p=’ This parameter contains the information about data associated with the C2 server.\r\nTable 3: FELIXROOT backdoor parameters\r\nCryptography\r\nAll data is transferred to C2 servers using AES encryption and the IbindCtx COM interface using HTTP or\r\nHTTPS protocol. The AES key is unique for each communication and is encrypted with one of two RSA public\r\nkeys. Figure 12 and Figure 13 show the RSA keys used in FELIXROOT, and Figure 14 shows the AES encryption\r\nparameters.\r\nFigure 12: RSA public key 1\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 9 of 13\n\nFigure 13: RSA public key 2\r\nFigure 14: AES encryption parameters\r\nAfter encryption, the cipher text to be sent over C2 is Base64 encoded. Figure 15 shows the structure used to send\r\ndata to the server, and Figure 16 shows the structural representation of data used in C2 communications.\r\nFigure 15: Structure used to send data to server\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 10 of 13\n\nFigure 16: Structure used to send data to C2 server\r\nThe structure is converted to Base64 using the CryptBinaryToStringA function.\r\nFELIXROOT backdoor contains several commands for specific tasks. After execution of every task, the malware\r\nsleeps for one minute before executing the next task. Once all the tasks have been executed completely, the\r\nmalware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine:\r\n1. Deletes the LNK file from the startup directory.\r\n2. Deletes the registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open\r\n3. Deletes the dropper components from the system.\r\nConclusion\r\nCVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are\r\ncurrently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no\r\nlonger finding success, so organizations must ensure they are protected. At this time of writing, FireEye Multi\r\nVector Execution (MVX) engine is able to recognize and block this threat. We also advise that all industries remain\r\non alert, as the threat actors involved in this campaign may eventually broaden the scope of their current targeting.\r\nAppendix\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 11 of 13\n\nIndicators of Compromise\r\n11227ECA89CC053FB189FAC3EBF27497 Seminar.rtf\r\n4DE5ADB865B5198B4F2593AD436FCEFF Seminar.rtf\r\n78734CD268E5C9AB4184E1BBE21A6EB9 Zam\u003cRandomNumber\u003e.doc\r\n92F63B1227A6B37335495F9BCB939EA2 FELIXROOT Dropper\r\nDE10A32129650849CEAF4009E660F72F FELIXROOT Backdoor\r\nTable 4: FELIXROOT IOCs\r\nNetwork Indicators of Compromise\r\n217.12.204.100/news\r\n217.12.204.100:443/news\r\n193.23.181.151/Seminar.rtf\r\nAccept-Encoding: gzip, deflate\r\ncontent-Type: application/x-www-form-urlencoded\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR\r\n3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET\r\nCLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR\r\n3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR\r\n3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)\r\nConfiguration Files\r\nVersion 1:\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 12 of 13\n\n{\"1\" : \"https://88.198.13.116:8443/xmlservice\",\"2\" : \"30\",\"4\" : \"GufseGHbc\",\"6\" : \"3\", \"7\" :\r\n“http://88.198.13.116:8080/xmlservice\"}\r\nVersion 2:\r\n{\"1\" : \"https://217.12.204.100/news/\",\"2\" : \"30\",\"4\" : \"KdfrJKN\",\"6\" : \"3\", \"7\" :\r\n\"http://217.12.204.100/news/\"}\r\nFireEye Detections\r\nMD5 Product Signature Action\r\n11227ECA89CC053FB189FAC3EBF27497 NX/EX/AX Malware.Binary.rtf Block\r\n4DE5ADB865B5198B4F2593AD436FCEFF NX/EX/AX Malware.Binary.rtf Block\r\n78734CD268E5C9AB4184E1BBE21A6EB9 NX/EX/AX Malware.Binary Block\r\n92F63B1227A6B37335495F9BCB939EA2 NX/EX/AX FE_Dropper_Win32_FELIXROOT_1 Block\r\nDE10A32129650849CEAF4009E660F72F NX/EX/AX FE_Backdoor_Win32_FELIXROOT_2 Block\r\n11227ECA89CC053FB189FAC3EBF27497 HX IOC Alert\r\n4DE5ADB865B5198B4F2593AD436FCEFF HX IOC Alert\r\nTable 5: FireEye Detections\r\nAcknowledgements\r\nSpecial thanks to Jonell Baltazar, Alex Berry and Benjamin Read for their contributions to this blog.\r\nSource: https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-u\r\nsed-to-distribute-felixroot-backdoor.html\r\nhttps://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html"
	],
	"report_names": [
		"microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434599,
	"ts_updated_at": 1775791369,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40eff36404ceb315e7470b8373bb6214bf60b3b4.pdf",
		"text": "https://archive.orkl.eu/40eff36404ceb315e7470b8373bb6214bf60b3b4.txt",
		"img": "https://archive.orkl.eu/40eff36404ceb315e7470b8373bb6214bf60b3b4.jpg"
	}
}