“Some variants attempt to disguise network traffic to look like Windows Messenger and Yahoo! Messenger traffic. Another variant tries to make the content of its traffic look like HTML,” reported Trend Micro in a new research paper published yesterday. The intention of FAKEM is simply to stay under the radar of malware defenses for as long as possible.
The three variants discovered are all distributed by spear-phishing emails carrying malicious attachments, often Microsoft Office documents exploiting known and patched vulnerabilities. But, “We also saw samples that were simply executable (.EXE) files,” adds Trend.
Typically, the malware produces network traffic designed to look like Windows Messenger, using a similar header. “However, beyond this, you will see that the traffic is not valid Windows Messenger traffic but may be sufficiently disguised as such to escape further scrutiny.” Other variants attempt to look like Yahoo! Messenger or HTML traffic.
Communication between the RAT and its controller is encrypted to make detection and examination more difficult, but Trend used a honeypot to trap and investigate FAKEM. It then decrypted the traffic to understand the commands available to the RATs. These include typical RAT functions such as the use of shell commands, directory browsing, file exfiltration, access to the registry, desktop snapshots and more.
Trend isn’t yet sure whether the FAKEM attackers are the same as those using other RATs, or a new set of attackers. “While there appears to be links between certain FAKEM RAT attacks and known campaigns (especially those involving Protux),” said Trend senior researcher Nart Villeneuve in a related blog posting, “it remains unclear if all the attacks that used this malware are connected. It’s possible that there are separate threat actors using the FAKEM RAT.”