Trend Micro experts have released a white paper on a family of remote access Trojans (RATs) which disguise their malicious traffic to look like various protocols to remain undetected. The malware is called FAKEM and it has been around since September 2009.
Cybercriminals are using a wide range of RATs to steal information or take control of the computers of their victims. However, Trojans such as PoisonIvy, Hupigon, Gh0st, or PlugX are easily detected by security solutions because the network traffic they produce is well known.
FAKEM, on the other hand, makes its traffic look like the one generated by common applications such as Yahoo! Messenger or Windows Messenger. Other variants even disguise their traffic as HTML.
According to Trend Micro, the FAKEM RAT is distributed via spear-phishing emails and it’s cleverly hidden inside what appears to be innocent Word documents.
“While there appear to be links between certain FAKEM RAT attacks and known campaigns (especially those involving Protux), it remains unclear if all the attacks that used this malware are connected. It’s possible that there are separate threat actors using the FAKEM RAT,” Nart Villeneuve, Trend Micro senior threat researcher, explained.
“While it is possible to distinguish the network traffic FAKEM RAT variants produce from the legitimate protocols they aim to spoof, doing so in the context of a large network may not be not easy. The RAT’s ability to mask its traffic may be enough to provide attackers enough cover to survive longer in a compromised environment,” the expert added.
Modern security solutions, such as Trend Micro Deep Discovery, are capable of distinguishing legitimate traffic from the one produced by FAKEM, but these RATs come to show that cybercriminals are always coming up with new ways to increase their campaigns' chances of success.