Spymel Trojan Taps Digital Certificates to Avoid Detection

Yet another malware family—Trojan Spymel—has been found to be using compromised digital certificates to evade detection.

According to analysis from Zscaler’s ThreatLabZ, Spymel infects the targeted system through spammed email, leveraging social engineering. It spies on all user activity on the compromised machine and relays it to the attacker.

Its attack method includes a .NET executable signed with a legitimate DigiCert issued certificate.

“The infection cycle typically starts with a malicious JavaScript file that arrives in a ZIP archive via email attachment,” explained Zscaler researchers Tarun Dewan and Amandeep Kumar, in an analysis. “Once the user opens the JavaScript file, it will download and install the malware executable on the victim machine.”

The malicious JavaScript file, surprisingly, is not obfuscated and easy to read. But the downloaded malware executable is a highly obfuscated .NET binary, which is digitally signed with a certificate issued to “SBO INVEST”.

Malware that has been signed with legitimate digital certificates is on the rise, and no wonder: Code-signing provides the assurance to users and the operating system that the software is from a legitimate source, helping malware to evade security software detection. A recent report from InfoArmor noted that hackers are making a whole cottage-industry business out of selling certificates for malicious purposes.

In this case, the certificate was promptly revoked by DigiCert when notified and, therefore, is not active in any attack, the researchers noted. But the perpetrators are willing to evolve: “We noticed a newer variant arose within two weeks of the first variant, using another certificate issued to "SBO INVEST' that is also revoked.”

Once ensconced on a victim’s machine, Spymel has several modules for capturing information. These include a keylogging module, and has functions for monitoring applications like Task Manager, Process Explorer and Process Hacker in Windows. It also can record video using a PC’s camera, and uses the GetForegroundWindow API to get the handles of active windows.

Spymel also includes modules to prevent the victim from terminating the malware and other running processes on the system.

Since the attack begins with spam, the best defense is awareness—as ever, users should never click on links within emails unless their source has been verified as legitimate.

Photo © nevodka/Shutterstock.com

What’s Hot on Infosecurity Magazine?