Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    The perpetrators of targeted attacks want to maintain a persistent presence in a target network in order to extract sensitive data when needed. To maintain this, attackers seek to blend in with normal network traffic and use ports allowed by firewalls.

    Frequently, the malware used in targeted attacks uses HTTP and HTTPS to appear like ordinary web traffic. However, while these malware tools do give attackers full control over a compromised system, they are often simple and configured to carry out few commands.

    Some attackers prefer to use remote access Trojans (RATs), sometimes as “second stage” malware, which typically have graphical user interfaces (GUIs) and remote desktop features that include directory browsing, file transfer, the ability to take screenshots, and activate the microphone and web camera of a compromised computer. Publicly available RATs like Gh0st, PoisonIvy, Hupigon, and DRAT, and “closed-released” RATs like MFC Hunter and PlugX are both in common use. However, the network traffic these RATs produce is well-known and easily detectable, although attackers still successfully use them.

    To get around this, attackers are always looking for ways to blend their malicious traffic with legitimate traffic to avoid detection. We found a family of RATs that we call “FAKEM” that makes their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like ordinary web traffic. The FAKEM RAT appears to have been actively used in attacks since September 2009.

    However, while there appears to be links between certain FAKEM RAT attacks and known campaigns (especially those involving Protux), it remains unclear if all the attacks that used this malware are connected. It’s possible that there are separate threat actors using the FAKEM RAT.

    While it is possible to distinguish the network traffic FAKEM RAT variants produce from the legitimate protocols they aim to spoof, doing so in the context of a large network may not be not easy. The RAT’s ability to mask its traffic may be enough to provide attackers enough cover to survive longer in a compromised environment.

    Fortunately, solutions like Trend Micro™ Deep Discovery can help network administrators protect their organizations from attacks that use the FAKEM RAT by detecting the traffic its variants produce.

    Investigating remote access tools like FAKEM constitute only one part of looking into APTs. In our infographic Connecting the APT Dots we covered the various components of an APT – of which RATs are only one.

    Our complete paper into the FAKEM RAT may be downloaded by clicking the cover below:





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • shine

      The binder tool means that the attacker didn’t use any vulnerability of Adobe and Office file ?

    • f0real

      There is a Java exploit that has been in the wild since at least early December 2012 that is serving this malware.
      Also, there is a variant that connects to an IP address registered with the US Dept of Defense (DoD).



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice