Cyber security analyst have discovered a new trojan that avoids antivirus detection. The malware uses stolen certificates to stay hidden from security software. Once the trojan infects a system, it can receive commands from a remote server to spy on a user’s activity. The malware currently has only been detected in Windows systems.
The malware was first discovered in late September by security analysts at Zsclare. Spymel is part of a family of trojans known as information stealers or infostealer for short, which are designed to spy on a user’s activity by monitoring specific processes. The malware uses stolen digital certificates to avoid detection by antivirus programs. Analysts at Zsclare discovered it was using a certificate issued to “SBO INVEST” by DigiCert. Two weeks later researchers found a new certificate issued by the same entity and was also revoked.
“ThreatLabZ came across yet another malware family where the authors are using compromised digital certificates to evade detection. The malware family in this case is the information stealing Trojan Spymel and involved a .NET executable signed with a legitimate DigiCert issued certificate.” states a blog post published by Zscaler.
- %Application Data%\ProgramFiles(32.1)\svchost.exe
- %User%\Start Menu\Programs\Startup\Startup32.1.exe
After installing itself the malware will also create registry keys to ensure that it loads each time the computer reboots. The registry keys affected are the following:
- HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run @ Sidebar(32.1)
- HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run @ Sidebar(32.1)
- HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Sidebar(32.1)
- HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run Sidebar(32.1)
Once installed, the malware can receive remote commands from the command and control server to gather information on the user. The domain used by the program to receive commands is android.sh (18.104.22.168) on port 1216. The malware can monitor applications like Task Manager, Process Explorer, and Process Hacker via the GetForegroundWindow() API(Figure 2). Spymel is also packaged with a Keylogger that can record every keystroke inputted by the user. It is also capable of taking screenshots and videos of the screen. For more detailed list of the commands visit Zscalar’s technical report on Spymel.
Users should take the necessary precautions to protect against this new trojan. Ensure that you do not download files from emails you do not know the origin of. Ensure that a firewall is enabled and fully updated. Make sure to block incoming connections from services not requested, especially if said connection comes from the address used by the malware. In the case of multiple users, set the accounts and applications to the lowest level of privileges.