Openhunting Threat Library

FakeM

FakeM, FakeM RAT, Terminator RAT
(Type: Backdoor)

(Trend Micro) We found a family of RATs that we call “FAKEM” that make their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like HTML. While the disguises the RATs use are simple and distinguishable from legitimate traffic, they may be just good enough to avoid further scrutiny.

[News Analysis] Trends:

Total Trend: 4

Trend Per Year
1
2012
3
2013


Trend Per Month
1
Jun 2012
1
2013
1
Mar 2013
1
Dec 2013



[News Analysis] News Mention Another Threat Name:

2 - Terminator RAT2 - BlackShades2 - DarkComet


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
1/36
persistence
1/113
privilege escalation
1/96
defense evasion
0/184
credential access
0/63
discovery
0/44
lateral movement
0/22
collection
0/37
command and control
0/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Did you sayAdvanced Persistent Threats?

2013-12-05 by ESET Research from ESET Research

APT1: technical backstage

2013-03-27 by Paul Rascagnères from Malware.lu

FAKEM RAT

2013 by Nart Villeneuve from Trend Micro

RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army

2012-06-21 by Mila Parkour from Contagio Dump

Basic Information (Credit @etda.or.th)

Tool: FakeM

Names: FakeM, FakeM RAT, Terminator RAT

Description: (Trend Micro) We found a family of RATs that we call “FAKEM” that make their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like HTML. While the disguises the RATs use are simple and distinguishable from legitimate traffic, they may be just good enough to avoid further scrutiny.

Category: Malware

Type: Backdoor

Information: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf

Information: https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf

Mitre-attack: https://attack.mitre.org/software/S0076/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:FakeM

Last-card-change: 2020-05-14

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.