FakeM malware is designed to evade detection by mimicking legitimate system processes, making it difficult to identify through traditional signature-based methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that could compromise critical systems.
YARA Rule
rule FakeM_Generic {
meta:
description = "Detects FakeM malware samples"
author = "Florian Roth"
reference = "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
date = "2016-01-25"
score = 85
hash1 = "631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3"
hash2 = "3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520"
hash3 = "53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60"
hash4 = "4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3"
hash5 = "7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8"
hash6 = "12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d"
hash7 = "9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5"
hash8 = "3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90"
hash9 = "41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33"
hash10 = "53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e"
hash11 = "523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b"
strings:
$a1 = "\\system32\\kernel32.dll" fullword ascii
$a2 = "\\boot.lnk" fullword ascii
$a3 = "%USERPROFILE%" fullword ascii /* Goodware String - occured 16 times */
$b1 = "Wizard.EXE" fullword wide
$b2 = "CommandLineA" fullword ascii
$c1 = "\\system32\\kernel32.dll" fullword ascii
$c2 = "\\aapz.tmp" fullword ascii
$e1 = "C:\\Documents and Settings\\A\\" fullword ascii
$e2 = "\\svchost.exe" fullword ascii
$e3 = "\\Perform\\Release\\Perform.pdb" fullword ascii
$f1 = "Browser.EXE" fullword wide
$f2 = "\\browser.exe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and
( all of ($a*) or all of ($b*) or all of ($c*) or all of ($e*) or 1 of ($f*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: System update or patch deployment using Microsoft Update or WSUS
Filter/Exclusion: Exclude processes associated with wusa.exe, msiexec.exe, or setup.exe from the detection logic.
Scenario: Scheduled backup job using Veeam Backup & Replication or Commvault
Filter/Exclusion: Exclude processes related to backup tools like veeambackup.exe, cvbackup.exe, or cvagent.exe.
Scenario: Admin task to install or update software using Group Policy Preferences (GPP) or PowerShell scripts
Filter/Exclusion: Exclude processes with powershell.exe or gpupdate.exe that are known to be part of legitimate administrative tasks.
Scenario: Log file parsing or analysis using ELK Stack (Elasticsearch, Logstash, Kibana) or Splunk
Filter/Exclusion: Exclude processes associated with logstash.exe, splunkd.exe, or elasticsearch.exe that are part of log management workflows.
Scenario: Security tool or endpoint protection update using Microsoft Defender ATP or CrowdStrike Falcon
Filter/Exclusion: Exclude processes like mpsvc.exe, falcon.exe, or msmpeng.exe that are part of legitimate security software updates.