Skip to content

S0076 FakeM

FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. 1

Item Value
ID S0076
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 27 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation FakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers. Additionally, some variants of FakeM use modified SSL code for communications back to C2 servers, making SSL decryption ineffective.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging FakeM contains a keylogger module.1
enterprise T1095 Non-Application Layer Protocol Some variants of FakeM use SSL to communicate with C2 servers.1

Groups That Use This Software

ID Name References
G0029 Scarlet Mimic 1

References

Back to top