RAT Looks Innocent, but it Attacks

Tuesday, January 22, 2013 @ 05:01 PM gHale

There is a family of remote access Trojans (RATs) within the FAKEM malware that disguise their malicious traffic to look like various protocols to remain undetected.

Cybercriminals are using a wide range of RATs to steal information or take control of the computers of their victims. However, Trojans such as PoisonIvy, Hupigon, Gh0st, or PlugX are easy to detect by security solutions because the network traffic they produce is well known.

Malware Spreads through Skype
Dorkbot Worm Goes Global
Secure Message not so Secure
Botnet Back and Thriving

Around since September 2009, FAKEM makes its traffic look like the one generated by common applications such as Yahoo! Messenger or Windows Messenger. Other variants even disguise their traffic as HTML, said researchers at Trend Micro.

The FAKEM RAT distributes via spear-phishing emails and it cleverly hides inside what appears to be innocent Word documents, Trend Micro researchers said.

“While there appear to be links between certain FAKEM RAT attacks and known campaigns (especially those involving Protux), it remains unclear if all the attacks that used this malware are connected. It’s possible that there are separate threat actors using the FAKEM RAT,” said Nart Villeneuve, Trend Micro senior threat researcher.

“While it is possible to distinguish the network traffic FAKEM RAT variants produce from the legitimate protocols they aim to spoof, doing so in the context of a large network may not be not easy. The RAT’s ability to mask its traffic may be enough to provide attackers enough cover to survive longer in a compromised environment,” Villeneuve said.

Modern security solutions are capable of distinguishing legitimate traffic from the one produced by FAKEM, but these RATs come to show that cybercriminals are always coming up with new ways to increase their campaigns’ chances of success.

Trend Micro released a white paper on the topic.

Leave a Reply

You must be logged in to post a comment.