Authors digitally signed Spymel Trojan to evade detection

Share this…

Zscaler ThreatLabZ detected a new infostealer malware family dubbed Spymel that uses stolen certificates to evade detection.

In late December, security experts at Zscaler ThreatLabZ detected a new infostealer malware family dubbed Spymel that uses stolen certificates to evade detection.

“ThreatLabZ came across yet another malware family where the authors are using compromised digital certificates to evade detection. The malware family in this case is the information stealing Trojan Spymel and involved a .NET executable signed with a legitimate DigiCert issued certificate.” states a blog post published by Zscaler.

A first version of the Spymel Trojan analyzed by the experts at Zscaler had been signed with a certificate issued by DigiCert that has been already revoked, but experts already spotted a newer variant signed with a digital certificate issued by DigiCert to SBO INVEST.

The bad actors behind the threat distributed the Spymel Trojan through spam emails containing an ZIP archive containing a JavaScript file which is used as a downloader. The JavaScript file downloads the Spymel Trojan from a remote server and installs it on infected systems.

“The malicious JavaScript file, surprisingly, in this case is not obfuscated and easy to read as seen in screenshot below. The Trojan Spymel executable gets downloaded from a remote location hardcoded in the JavaScript.” continues the post.

Spymel Trojan digital certificate

The analysis of malware revealed that the address of the command and control (C&C) is hardcoded within its code.

Spymel is able to infect Windows systems, the analysis proposed by Zscaler demonstrates that the malware infected both Windows XP and Windows 7 systems, creating registry keys to gain persistence.

The Spymel Trojan has modular structure, the researchers provided details information on a number of modules, including the Keylogging component and the ProtectMe module, this last one used to protect the malware from user’s shut down.

In order to send information to the attackers, the malware connects to a remote on port 1216.

Below the list commands that the operators could send to the Spymel:

Sends information about user name, OS name, running processes, Video module flag, active window title.
Information about drives in system.
Information about folders and files for given location.
Deletes given file or folder
Executes given file.
Rename given file or folder
Uninstall itself
Upload keylogging file to C&C. *
Upload requested file to C&C *
Search for give string in all keylogging files.
Delete given keylogging file.
Sends Desktop snapshot
Download file from give URL
On|Off video recording
Provide settings of video recording for specific processes.

In the criminal ecosystem it is quite common to abuse digital certificates to sign malware, recently experts at IBM Security X-Force researchers  discovered a CaaS (Certificates as a service) in the underground. Cybercriminals are using the Dark Web for selling high-grade code certificates -which they have obtained from trusted certificate authorities- to anyone that is interested in purchasing them.

Let me suggest the reading of the post titled “How Cybercrime Exploits Digital Certificates” to better understand how criminals abused digital certificates.