Authors digitally signed Spymel Trojan to evade detection

Zscaler ThreatLabZ detected a new infostealer malware family dubbed Spymel that uses stolen certificates to evade detection.

In late December, security experts at Zscaler ThreatLabZ detected a new infostealer malware family dubbed Spymel that uses stolen certificates to evade detection.

“ThreatLabZ came across yet another malware family where the authors are using compromised digital certificates to evade detection. The malware family in this case is the information stealing Trojan Spymel and involved a .NET executable signed with a legitimate DigiCert issued certificate.” states a blog post published by Zscaler.

A first version of the Spymel Trojan analyzed by the experts at Zscaler had been signed with a certificate issued by DigiCert that has been already revoked, but experts already spotted a newer variant signed with a digital certificate issued by DigiCert to SBO INVEST.

The bad actors behind the threat distributed the Spymel Trojan through spam emails containing an ZIP archive containing a JavaScript file which is used as a downloader. The JavaScript file downloads the Spymel Trojan from a remote server and installs it on infected systems.

“The malicious JavaScript file, surprisingly, in this case is not obfuscated and easy to read as seen in screenshot below. The Trojan Spymel executable gets downloaded from a remote location hardcoded in the JavaScript.” continues the post.

The analysis of malware revealed that the address of the command and control (C&C) is hardcoded within its code.

Spymel is able to infect Windows systems, the analysis proposed by Zscaler demonstrates that the malware infected both Windows XP and Windows 7 systems, creating registry keys to gain persistence.

The Spymel Trojan has modular structure, the researchers provided details information on a number of modules, including the Keylogging component and the ProtectMe module, this last one used to protect the malware from user’s shut down.

In order to send information to the attackers, the malware connects to a remote domain android.sh(213.136.92.111) on port 1216.

Below the list commands that the operators could send to the Spymel:

Command
Description
i
Sends information about user name, OS name, running processes, Video module flag, active window title.
GetDrives
Information about drives in system.
FileManager
Information about folders and files for given location.
Delete
Deletes given file or folder
Execute
Executes given file.
Rename
Rename given file or folder
sup
Uninstall itself
klogs
Upload keylogging file to C&C. *
klold
Upload requested file to C&C *
ks
Search for give string in all keylogging files.
dklold
Delete given keylogging file.
dp
Sends Desktop snapshot
dform
Download file from give URL
VideoMode
On|Off video recording
veUpdate
Provide settings of video recording for specific processes.

In the criminal ecosystem it is quite common to abuse digital certificates to sign malware, recently experts at IBM Security X-Force researchers  discovered a CaaS (Certificates as a service) in the underground. Cybercriminals are using the Dark Web for selling high-grade code certificates -which they have obtained from trusted certificate authorities- to anyone that is interested in purchasing them.

Let me suggest the reading of the post titled “How Cybercrime Exploits Digital Certificates” to better understand how criminals abused digital certificates.

Pierluigi Paganini

(Security Affairs – Digital Certificates, Spymel)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Operation RapTor led to the arrest of 270 dark web vendors and buyers

Law enforcement operation codenamed 'Operation RapTor' led to the arrest of 270 dark web vendors…

17 hours ago

Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks

A Chinese threat actor, tracked as UAT-6382, exploited a patched Trimble Cityworks flaw to deploy…

20 hours ago

U.S. CISA adds a Samsung MagicINFO 9 Server flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Samsung MagicINFO 9 Server vulnerability to its…

1 day ago

New Signal update stops Windows from capturing user chats

Signal implements new screen security on Windows 11, blocking screenshots by default to protect user…

2 days ago

Law enforcement dismantled the infrastructure behind Lumma Stealer MaaS

Microsoft found 394,000 Windows systems talking to Lumma stealer controllers, a victim pool that included…

2 days ago

Russia-linked APT28 targets western logistics entities and technology firms

CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing…

2 days ago