Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign By by Swapnil Patil Published: 2018-07-26 · Archived: 2026-04-05 23:22:13 UTC Threat Research July 26, 2018 | Campaign Details In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being distributed to targets. FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine. Figure 1 shows the attack overview. https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 1 of 13 Figure 1: Attack overview The malware is distributed via Russian-language documents (Figure 2) that are weaponized with known Microsoft Office vulnerabilities. In this campaign, we observed threat actors exploiting CVE-2017-0199 and CVE-2017- 11882 to distribute malware. The malicious document used is named “Seminar.rtf”. It exploits CVE-2017-0199 to download the second stage payload from 193.23.181.151 (Figure 3). The downloaded file is weaponized with CVE-2017-11882. Figure 2: Lure documents https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 2 of 13 Figure 3: Hex dump of embedded URL in Seminar.rtf Figure 4 shows the first payload trying to download the second stage Seminar.rtf. Figure 4: Downloading second stage Seminar.rtf The downloaded Seminar.rtf contains an embedded binary file that is dropped in %temp% via Equation Editor executable. This file drops the executable at %temp% (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9), which is used to drop and execute the FELIXROOT dropper component (MD5: 92F63B1227A6B37335495F9BCB939EA2). The dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed FELIXROOT dropper component in the Portable Executable (PE) binary overlay section. When it is executed, it creates two files: an LNK file that points to %system32%\rundll32.exe, and the FELIXROOT loader component. The LNK file is moved to the startup directory. Figure 5 shows the command in the LNK file to execute the loader component of FELIXROOT. Figure 5: Command in LNK file The embedded backdoor component is encrypted using custom encryption. The file is decrypted and loaded directly in memory without touching the disk. https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 3 of 13 Technical Details After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function. Strings in the backdoor are encrypted using a custom algorithm that uses XOR with a 4-byte key. Decryption logic used for ASCII strings is shown in Figure 6. Figure 6: ASCII decryption routine Decryption logic used for Unicode strings is shown in Figure 7. https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 4 of 13 Figure 7: Unicode decryption routine Upon execution, a new thread is created where the backdoor sleeps for 10 minutes. Then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If the malware was launched by RUNDLL32.exe with parameter #1, then it proceeds with initial system triage before doing command and control (C2) network communications. Initial triage begins with connecting to Windows Management Instrumentation (WMI) via the “ROOT\CIMV2” namespace. Figure 8 shows the full operation. Figure 8: Initial execution process of backdoor component Table 1 shows the classes referred from the “ROOT\CIMV2” and “Root\SecurityCenter2” namespace. https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 5 of 13 WMI Namespaces Win32_OperatingSystem Win32_ComputerSystem AntiSpywareProduct AntiVirusProduct FirewallProduct Win32_UserAccount Win32_NetworkAdapter Win32_Process Table 1: Referred classes WMI Queries and Registry Keys Used 1. SELECT Caption FROM Win32_TimeZone 2. SELECT CSNAME, Caption, CSDVersion, Locale, RegisteredUser FROM Win32_OperatingSystem 3. SELECT Manufacturer, Model, SystemType, DomainRole, Domain, UserName FROM Win32_ComputerSystem Registry entries are read for potential administration escalation and proxy information. 1. Registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ” is queried to check the values ConsentPromptBehaviorAdmin and PromptOnSecureDesktop. 2. Registry key “Software\Microsoft\Windows\CurrentVersion\Internet Settings\” is queried to gather proxy information with values ProxyEnable, Proxy: (NO), Proxy, ProxyServer. Table 2 shows FELIXROOT backdoor capabilities. Each command is performed in an individual thread. https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 6 of 13 Command Description 0x31 Fingerprint System via WMI and Registry 0x32 Drop File and execute 0x33 Remote Shell 0x34 Terminate connection with C2 0x35 Download and run batch script 0x36 Download file on machine 0x37 Upload File Table 2: FELIXROOT backdoor commands Figure 9 shows the log message decrypted from memory using the same mechanism shown in Figure 6 and Figure 7 for every command executed. Figure 9: Command logs after execution https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 7 of 13 Network Communications FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server (Figure 10). Figure 10: POST request to C2 server All other fields, such as User-Agents, Content-Type, and Accept-Encoding, that are part of the request / response header are XOR encrypted and present in the malware. The malware queries the Windows API to get the computer name, user name, volume serial number, Windows version, processor architecture and two additional values, which are “1.3” and “KdfrJKN”. The value “KdfrJKN” may be used as identification for the campaign and is found in the JOSN object in the file (Figure 11). Figure 11: Host information used in every communication The FELIXROOT backdoor has three parameters for C2 communication. Each parameter provides information about the task performed on the target machine (Table 3). https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 8 of 13 Parameter Description ‘u=’ This parameter contains target machine information in the following format: , , , , <1.3>, < KdfrJKN >, ‘&h=’ This parameter includes the information about the command executed and its results. ‘&p=’ This parameter contains the information about data associated with the C2 server. Table 3: FELIXROOT backdoor parameters Cryptography All data is transferred to C2 servers using AES encryption and the IbindCtx COM interface using HTTP or HTTPS protocol. The AES key is unique for each communication and is encrypted with one of two RSA public keys. Figure 12 and Figure 13 show the RSA keys used in FELIXROOT, and Figure 14 shows the AES encryption parameters. Figure 12: RSA public key 1 https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 9 of 13 Figure 13: RSA public key 2 Figure 14: AES encryption parameters After encryption, the cipher text to be sent over C2 is Base64 encoded. Figure 15 shows the structure used to send data to the server, and Figure 16 shows the structural representation of data used in C2 communications. Figure 15: Structure used to send data to server https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 10 of 13 Figure 16: Structure used to send data to C2 server The structure is converted to Base64 using the CryptBinaryToStringA function. FELIXROOT backdoor contains several commands for specific tasks. After execution of every task, the malware sleeps for one minute before executing the next task. Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine: 1. Deletes the LNK file from the startup directory. 2. Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open 3. Deletes the dropper components from the system. Conclusion CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected. At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. We also advise that all industries remain on alert, as the threat actors involved in this campaign may eventually broaden the scope of their current targeting. Appendix https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 11 of 13 Indicators of Compromise 11227ECA89CC053FB189FAC3EBF27497 Seminar.rtf 4DE5ADB865B5198B4F2593AD436FCEFF Seminar.rtf 78734CD268E5C9AB4184E1BBE21A6EB9 Zam.doc 92F63B1227A6B37335495F9BCB939EA2 FELIXROOT Dropper DE10A32129650849CEAF4009E660F72F FELIXROOT Backdoor Table 4: FELIXROOT IOCs Network Indicators of Compromise 217.12.204.100/news 217.12.204.100:443/news 193.23.181.151/Seminar.rtf Accept-Encoding: gzip, deflate content-Type: application/x-www-form-urlencoded Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Configuration Files Version 1: https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 12 of 13 {"1" : "https://88.198.13.116:8443/xmlservice","2" : "30","4" : "GufseGHbc","6" : "3", "7" : “http://88.198.13.116:8080/xmlservice"} Version 2: {"1" : "https://217.12.204.100/news/","2" : "30","4" : "KdfrJKN","6" : "3", "7" : "http://217.12.204.100/news/"} FireEye Detections MD5 Product Signature Action 11227ECA89CC053FB189FAC3EBF27497 NX/EX/AX Malware.Binary.rtf Block 4DE5ADB865B5198B4F2593AD436FCEFF NX/EX/AX Malware.Binary.rtf Block 78734CD268E5C9AB4184E1BBE21A6EB9 NX/EX/AX Malware.Binary Block 92F63B1227A6B37335495F9BCB939EA2 NX/EX/AX FE_Dropper_Win32_FELIXROOT_1 Block DE10A32129650849CEAF4009E660F72F NX/EX/AX FE_Backdoor_Win32_FELIXROOT_2 Block 11227ECA89CC053FB189FAC3EBF27497 HX IOC Alert 4DE5ADB865B5198B4F2593AD436FCEFF HX IOC Alert Table 5: FireEye Detections Acknowledgements Special thanks to Jonell Baltazar, Alex Berry and Benjamin Read for their contributions to this blog. Source: https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-u sed-to-distribute-felixroot-backdoor.html https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html Page 13 of 13