RAT Hides as Windows® and Yahoo!® Messenger
January 17, 2013
Download the full research paper: FAKEM RAT:Malware Disguised as Windows® Messenger and Yahoo!® MessengerThe perpetrators of targeted attacks aim to maintain persistent presence in a target network in order to extract sensitive data when needed. To maintain persistent presence, attackers seek to blend in with normal network traffic and use ports that are typically allowed by firewalls. As a result, many of the malware used in targeted attacks utilize the HTTP and HTTPS protocols to appear like web traffic. However, while these malware do give attackers full control over a compromised system, they are often simple and configured to carry out a few commands.
Attackers often use remote access Trojans (RATs), which typically have graphical user interfaces (GUIs) and remote desktop features that include directory browsing, file transfer, and the ability to take screenshots and activate the microphone and web camera of a compromised computer. Attackers often use publicly available RATs like Gh0st, PoisonIvy, Hupigon, and DRAT, and “closed-released” RATs like MFC Hunter and PlugX. However, the network traffic these RATs produce is easily detectable although attackers still successfully use them.
Attackers always look for ways to blend their malicious traffic with legitimate traffic to avoid detection. We found a family of RATs that we call “FAKEM” that make their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like HTML. While the disguises the RATs use are simple and distinguishable from legitimate traffic, they may be just good enough to avoid further scrutiny.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.