Felismus Malware Written By The Sowbug Group

Cyber security company Symantec recently identified a new cyber espionage group called “Sowbug” that targets governments initially in South East Asia and South America.  Sowbug uses a sophisticated piece of malware called “Felismus” that was discovered earlier this year by Forcepoint Security Labs.

It is currently unknown how Felismus infiltrates a target’s network but once deployed it can maintain a persistent presence, avoiding detection by disguising itself as an Adobe or Word file. The operators of the malware also appear to work outside the usual business hours of the victim, possibly to avoid arousing suspicion from legitimate users.

Sowbug uses Felismus to predominantly steal information relating to foreign policy, diplomatic relations and, specifically, Asia-Pacific relations.  It has also been seen searching for files on remote shares in an attempt to infect other computers on the network.

Sowbug has probably been operating since at least early 2015, but its stealthy capabilities have enabled it to remain very low profile and evade detection.

Sowburg’s identity and primary motivation is currently unknown. There has been speculation this could be a state sponsored group due to the government targets, the sophistication of Felismus, and its success.  Some of the malware code appeared to indicate that the operators’ first language may not be English.




Upon execution, the malware makes a series of innocuous looking HTTP requests to www[]cosecman[]com seemingly designed to look like normal browsing/shopping activity:

(i)   GET /notice/news/items.php?V=ca09a22378d1673b&U= HTTP/1.1
(ii)  GET /notice/news/items.php?V=ca09a22378d1673b&M=f871ff6f939cecf8&U=fe41320b0e4c5d1a
(iii) POST /notice/items/products.php?mobfhvkaqmrmsjjalllpdtkizewqx

Analysis of these requests and their associated responses show them to be part of the malware’s setup process.

Associated Domains & IP Addresses To Block

cosecman[]com
maibars[]com
mastalib[]com
nasomember[]com
unmailhome[]com

103.43.18.102 and 103.43.18.106, and 103.43.18.111

103.43.18.105 and 43.246.208.226 and 43.246.208.208




 

 

Leave a Reply