Infostealer Trojan Spymel Uses Stolen Certificates to Avoid Detection

Infostealer spymel trojan

Cyber security analyst have discovered a new trojan that avoids antivirus detection. The malware uses stolen certificates to stay hidden from security software. Once the trojan infects a system, it can receive commands from a remote server to spy on a user’s activity. The malware currently has only been detected in Windows systems.

The malware was first discovered in late September by security analysts at Zsclare. Spymel is part of a family of trojans known as information stealers or infostealer for short, which are designed to spy on a user’s activity by monitoring specific processes. The malware uses stolen digital certificates to avoid detection by antivirus programs. Analysts at Zsclare discovered it was using a certificate issued to “SBO INVEST” by DigiCert. Two weeks later researchers found a new certificate issued by the same entity and was also revoked.

“ThreatLabZ came across yet another malware family where the authors are using compromised digital certificates to evade detection. The malware family in this case is the information stealing Trojan Spymel and involved a .NET executable signed with a legitimate DigiCert issued certificate.” states a blog post published by Zscaler.

The malware spreads itself by distributing spam emails containing a ZIP JavaScript file which downloads Spymel remotely from a command and control server. The address of the domain used to download the malware can be seen coded in the JavaScript file(Figure 1). The malware itself is a heavily obfuscated .NET binary executable. The Trojan as will install itself “svchost.exe” and “Startup32.1.exe” in the following locations:

Win XP

  • %Application Data%\ProgramFiles(32.1)\svchost.exe
  • %User%\Start Menu\Programs\Startup\Startup32.1.exe

Win 7

  • %AppData%\Roaming\ProgramFiles(32.1)\svchost.exe
  • %AppData%\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\Startup32.1.exe

After installing itself the malware will also create registry keys to ensure that it loads each time the computer reboots. The registry keys affected are the following:

Win XP

  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run @ Sidebar(32.1)
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run @  Sidebar(32.1)

Win 7

  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Sidebar(32.1)
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run Sidebar(32.1)
Spygel JavaScript file containing the domain used to download the .NET executable.

Spymel JavaScript file containing the domain used to download the .NET executable. Source: research.zscaler.com

Once installed, the malware can receive remote commands from the command and control server to gather information on the user. The domain used by the program to receive commands is android.sh (213.136.92.111) on port 1216. The malware can monitor applications like Task Manager, Process Explorer, and Process Hacker via the GetForegroundWindow() API(Figure 2). Spymel is also packaged with a Keylogger that can record every keystroke inputted by the user. It is also capable of taking screenshots and videos of the screen. For more detailed list of the commands visit Zscalar’s technical report on Spymel.

Get GetForegroundWindow() API used by Spymel. Source: research.zscaler.com

GetForegroundWindow() API used by Spygel. Source: research.zscaler.com/

Users should take the necessary precautions to protect against this new trojan. Ensure that you do not download files from emails you do not know the origin of. Ensure that a firewall is enabled and fully updated. Make sure to block incoming connections from services not requested, especially if said connection comes from the address used by the malware. In the case of multiple users, set the accounts and applications to the lowest level of privileges.

Leave a Reply

Your email address will not be published. Required fields are marked *