FakeM

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
FakeM is a malware family first exposed in 2013 by Trend Micro, named for its command and control traffic mimicking Windows Messenger and Yahoo. The malware primarily operates as a Windows backdoor, used extensively by the cyber-espionage group, Scarlet Mimic. Since its exposure, FakeM has undergone significant changes with two subsequent variants identified, each enhancing the original's capabilities. The malware infects systems via suspicious downloads, emails, or websites, stealing personal information, disrupting operations, or holding data hostage. In addition to FakeM, Scarlet Mimic has deployed Trojans targeting Mac OS X and Android operating systems, expanding their attack surface. There are infrastructure ties between some FakeM variants and older Trojan activities such as Elirks, Poison Ivy, and BiFrost, indicating a long-standing pattern of malicious activity dating back to 2009. The evolution of FakeM suggests that its developers adapted the tool to avoid detection, enabling its continued use in attacks. The original variant of FakeM includes data encrypted using a custom encryption cipher that uses an XOR key of "YHCRA" and bit rotation between each XOR operation. However, the newer FakeM SSL variants appear to employ Diffie-Hellman for key exchange and the RC4 algorithm for encrypting command and control (C2) communications. Interestingly, the initial packet sent to the C2 server does not contain a "client hello" message, typically required to initiate an SSL handshake. This unique approach underscores the sophistication of the threat actors behind FakeM.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the FakeM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists