The perpetrators of targeted attacks aim to maintain persistent presence in a
target network in order to extract sensitive data when needed. To maintain
persistent presence, attackers seek to blend in with normal network traffic
and use ports that are typically allowed by firewalls. As a result, many of the
malware used in targeted attacks utilize the HTTP and HTTPS protocols to
appear like web traffic. However, while these malware do give attackers full
control over a compromised system, they are often simple and configured to
carry out a few commands.
Attackers often use remote access Trojans (RATs), which typically have
graphical user interfaces (GUIs) and remote desktop features that include
directory browsing, file transfer, and the ability to take screenshots and
activate the microphone and web camera of a compromised computer.
Attackers often use publicly available RATs like Gh0st, PoisonIvy, Hupigon,
and DRAT, and “closed-released” RATs like MFC Hunter and PlugX.
However, the network traffic these RATs produce is well-known and easily
detectable although attackers still successfully use them.
Attackers always look for ways to blend their malicious traffic with legitimate
traffic to avoid detection. We found a family of RATs that we call “FAKEM” that
make their network traffic look like various protocols. Some variants attempt
to disguise network traffic to look like Windows® Messenger and Yahoo!®
Messenger traffic. Another variant tries to make the content of its traffic look
like HTML. While the disguises the RATs use are simple and distinguishable
from legitimate traffic, they may be just good enough to avoid further scrutiny
read more...........http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf