The perpetrators of targeted attacks want to maintain a persistent presence in a target network in order to extract sensitive data when needed. To maintain this, attackers seek to blend in with normal network traffic and use ports allowed by firewalls.
Frequently, the malware used in targeted attacks uses HTTP and HTTPS to appear like ordinary web traffic. However, while these malware tools do give attackers full control over a compromised system, they are often simple and configured to carry out few commands.
Some attackers prefer to use remote access Trojans (RATs), sometimes as “second stage” malware, which typically have graphical user interfaces (GUIs) and remote desktop features that include directory browsing, file transfer, the ability to take screenshots, and activate the microphone and web camera of a compromised computer. Publicly available RATs like Gh0st, PoisonIvy, Hupigon, and DRAT, and “closed-released” RATs like MFC Hunter and PlugX are both in common use. However, the network traffic these RATs produce is well-known and easily detectable, although attackers still successfully use them.
To get around this, attackers are always looking for ways to blend their malicious traffic with legitimate traffic to avoid detection. We found a family of RATs that we call “FAKEM” that makes their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like ordinary web traffic. The FAKEM RAT appears to have been actively used in attacks since September 2009.