A family of remote access Trojans (RATs) known as FAKEM has been evading detection for more than three years by camouflaging themselves as legitimate network traffic.

Nate Villeneuve, a senior threat researcher at Trend Micro, said that remote access Trojans are a favorite among attackers seeking to maintain a persistent presence on target networks because of their versatility. The problem with RATs such as Gh0st, PoisonIvy, and others is that they often generate strange and easily recognizable network traffic.

So while attackers would likely prefer the graphical user interfaces and remotely accessible directory browsing, file transfer, screenshot taking, and microphone activation features that some RATs offer, attackers are frequently relegated to using simpler malware with less functionality that can transmit itself inconspicuously.

Members of the FAKEM family seem to getting the best of both worlds, taking advantage of expanded RAT functions while also managing to blend in with ordinary traffic.

Specifically, Villeneuve discovered variants of the FAKEM family that manipulated their network traffic to mimic legitimate services such as Windows and Yahoo messengers or to just look like normal Web traffic.

Trend Micro claims that FAKEM variants have been in use since September 2009, but they are not certain if the various FAKEM family members are related to one another as part of one large and complicated malware campaign, or if several seperate groups are deploying the different version. FAKEM RATs could potentially go unnoticed within a network for long periods of time due to their mimicry of legitimate traffic patterns.

Categories: Malware, SMB Security