FakeM

FakeM is a malware family first exposed in 2013 by Trend Micro, named for its command and control traffic mimicking Windows Messenger and Yahoo. The malware primarily operates as a Windows backdoor, used extensively by the cyber-espionage group, Scarlet Mimic. Since its exposure, FakeM has undergone significant changes with two subsequent variants identified, each enhancing the original's capabilities. The malware infects systems via suspicious downloads, emails, or websites, stealing personal information, disrupting operations, or holding data hostage. In addition to FakeM, Scarlet Mimic has deployed Trojans targeting Mac OS X and Android operating systems, expanding their attack surface. There are infrastructure ties between some FakeM variants and older Trojan activities such as Elirks, Poison Ivy, and BiFrost, indicating a long-standing pattern of malicious activity dating back to 2009. The evolution of FakeM suggests that its developers adapted the tool to avoid detection, enabling its continued use in attacks. The original variant of FakeM includes data encrypted using a custom encryption cipher that uses an XOR key of "YHCRA" and bit rotation between each XOR operation. However, the newer FakeM SSL variants appear to employ Diffie-Hellman for key exchange and the RC4 algorithm for encrypting command and control (C2) communications. Interestingly, the initial packet sent to the C2 server does not contain a "client hello" message, typically required to initiate an SSL handshake. This unique approach underscores the sophistication of the threat actors behind FakeM.