FakeM

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

FakeM is a malware family first exposed in 2013 by Trend Micro, named for its command and control traffic mimicking Windows Messenger and Yahoo. The malware primarily operates as a Windows backdoor, used extensively by the cyber-espionage group, Scarlet Mimic. Since its exposure, FakeM has undergone significant changes with two subsequent variants identified, each enhancing the original's capabilities. The malware infects systems via suspicious downloads, emails, or websites, stealing personal information, disrupting operations, or holding data hostage. In addition to FakeM, Scarlet Mimic has deployed Trojans targeting Mac OS X and Android operating systems, expanding their attack surface. There are infrastructure ties between some FakeM variants and older Trojan activities such as Elirks, Poison Ivy, and BiFrost, indicating a long-standing pattern of malicious activity dating back to 2009. The evolution of FakeM suggests that its developers adapted the tool to avoid detection, enabling its continued use in attacks. The original variant of FakeM includes data encrypted using a custom encryption cipher that uses an XOR key of "YHCRA" and bit rotation between each XOR operation. However, the newer FakeM SSL variants appear to employ Diffie-Hellman for key exchange and the RC4 algorithm for encrypting command and control (C2) communications. Interestingly, the initial packet sent to the C2 server does not contain a "client hello" message, typically required to initiate an SSL handshake. This unique approach underscores the sophistication of the threat actors behind FakeM.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Espionage

Trojan

Exploit

Backdoor

Payload

Windows

Loader

Malware

Encryption

Decoy

Beacon

Encrypt

Android

Antivirus

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Psylo	Unspecified	1	Psylo is a new, previously unreported Trojan malware discovered by Unit 42 during an infrastructure analysis of FakeM Custom SSL variants. The malware was named after the anagram 'hnxlopsyxt', which is the mutex created when initially running the payload. Psylo has been found to have overlaps with F
CallMe	Unspecified	1	CallMe is a type of malware, specifically a Trojan, designed to operate on the Apple OSX operating system. It was first analyzed in February 2013 by AlienVault, who discovered that it is based on a tool called Tiny SHell, an open-source OSX shell tool available on the internet. The CallMe Trojan has
MobileOrder	Unspecified	1	MobileOrder is a sophisticated piece of malware designed to exploit mobile devices. It operates by registering itself as a device administrator, thus preventing users from simply uninstalling it through regular settings. MobileOrder communicates with its command and control (C2) server over TCP port
Poison Ivy	Unspecified	1	Poison Ivy is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d
Bifrost	Unspecified	1	Bifrost is a remote access Trojan (RAT) that has been active since 2004, designed to gather sensitive information such as hostname and IP address from compromised systems. The malware has evolved over time, with notable ties to other Trojans like FakeM MSN, Elirks, and Poison Ivy, suggesting the sam

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Scarlet Mimic	Unspecified	1	Scarlet Mimic is a threat actor that has been active since at least 2009, deploying increasingly advanced malware to execute attacks primarily through spear-phishing and watering holes. The group's attacks center around the use of a Windows backdoor named "FakeM," first described by Trend Micro in 2

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the FakeM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists