Software: FakeM

From enterprise
Jump to: navigation, search
FakeM
Software
ID S0076
Aliases FakeM
Type Malware

FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.1

Techniques Used

  • Custom Cryptographic Protocol - The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation. FakeM has also included HTML code in C2 traffic in an apparent attempt to evade detection. Additionally, some variants of FakeM use modified SSL code for communications back to C2 servers, making SSL decryption ineffective.1
  • Data Obfuscation - FakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers.1

Groups

The following groups use this software: