The perpetrators of targeted attacks want to maintain a persistent presence in a target network in order to extract sensitive data when needed. To maintain this, attackers seek to blend in with normal network traffic and use ports allowed by firewalls.
Frequently, the malware used in targeted attacks uses HTTP and HTTPS to appear like ordinary web traffic. However, while these malware tools do give attackers full control over a compromised system, they are often simple and configured to carry out few commands.
Some attackers prefer to use remote access Trojans (RATs), sometimes as “second stage” malware, which typically have graphical user interfaces (GUIs) and remote desktop features that include directory browsing, file transfer, the ability to take screenshots, and activate the microphone and web camera of a compromised computer. Publicly available RATs like Gh0st, PoisonIvy, Hupigon, and DRAT, and “closed-released” RATs like MFC Hunter and PlugX are both in common use. However, the network traffic these RATs produce is well-known and easily detectable, although attackers still successfully use them.
To get around this, attackers are always looking for ways to blend their malicious traffic with legitimate traffic to avoid detection. We found a family of RATs that we call “FAKEM” that makes their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like ordinary web traffic. The FAKEM RAT appears to have been actively used in attacks since September 2009.
However, while there appears to be links between certain FAKEM RAT attacks and known campaigns (especially those involving Protux), it remains unclear if all the attacks that used this malware are connected. It’s possible that there are separate threat actors using the FAKEM RAT.
While it is possible to distinguish the network traffic FAKEM RAT variants produce from the legitimate protocols they aim to spoof, doing so in the context of a large network may not be not easy. The RAT’s ability to mask its traffic may be enough to provide attackers enough cover to survive longer in a compromised environment.
Fortunately, solutions like Trend Micro™ Deep Discovery can help network administrators protect their organizations from attacks that use the FAKEM RAT by detecting the traffic its variants produce.
Investigating remote access tools like FAKEM constitute only one part of looking into APTs. In our infographic Connecting the APT Dots we covered the various components of an APT – of which RATs are only one.
Our complete paper into the FAKEM RAT may be downloaded by clicking the cover below: