S0076 FakeM
FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. 1
Item | Value |
---|---|
ID | S0076 |
Associated Names | |
Type | MALWARE |
Version | 1.1 |
Created | 31 May 2017 |
Last Modified | 27 March 2020 |
Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
enterprise | T1001 | Data Obfuscation | - |
enterprise | T1001.003 | Protocol Impersonation | FakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers. Additionally, some variants of FakeM use modified SSL code for communications back to C2 servers, making SSL decryption ineffective.1 |
enterprise | T1573 | Encrypted Channel | - |
enterprise | T1573.001 | Symmetric Cryptography | The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic.1 |
enterprise | T1056 | Input Capture | - |
enterprise | T1056.001 | Keylogging | FakeM contains a keylogger module.1 |
enterprise | T1095 | Non-Application Layer Protocol | Some variants of FakeM use SSL to communicate with C2 servers.1 |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0029 | Scarlet Mimic | 1 |