FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [1]

ID: S0076
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1024Custom Cryptographic ProtocolThe original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation. FakeM has also included HTML code in C2 traffic in an apparent attempt to evade detection. Additionally, some variants of FakeM use modified SSL code for communications back to C2 servers, making SSL decryption ineffective.[1]
EnterpriseT1001Data ObfuscationFakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers.[1]
EnterpriseT1056Input CaptureFakeM contains a keylogger module.[1]
EnterpriseT1071Standard Application Layer ProtocolSome variants of FakeM use SSL to communicate with C2 servers.[1]
EnterpriseT1032Standard Cryptographic ProtocolSome variants of FakeM use RC4 to encrypt C2 traffic.[1]


Groups that use this software:

Scarlet Mimic