Spymel

Spymel is a Trojan that is used to collect data from infected computers. Spymel may evade detection by anti-virus program using misappropriated certificates and various other features that are quickly becoming standard in modern threats. Misappropriated digital certificates are a threatening way for threats to thrive because they may allow threats to remain undetected and install other components or carry out more sophisticated types of attacks. Spymel belongs to a threat family that has remained mostly undetected thanks to its use of embezzled security certificates. PC security researchers received reports from malware researchers in the United States regarding Spymel, which is spread using corrupted spam email attachments. According to these reports, Spymel's misappropriated digital certificates allow Spymel to infect computers effectively and remain hidden from many standard security applications.

The Spymel Infection and Its Distribution Process

The Spymel Trojan infection first enters a computer as an archive file that may be attached to an email message. The emails containing Spymel may be spam email messages that are disguised as legitimate messages from various corporations. Once Spymel's corrupted file attachment has been decompressed, Spymel may execute a JavaScript file that connects to a remote server and downloads and installs a threat's executable file in the form of a NET binary. Spymel's distribution method is particularly clever because of the way Spymel may bypass many security programs. Since the archive file doesn't contain the threat executable file, some security applications may not flag it as threatening. The NET binary itself may evade detection by using a digital certificate issued via DigiCert to SBO INVEST; this certificate probably was embezzled. Because of this, malware analysts strongly advise computer users to avoid opening any email attachments that is not completely verified and expected by the computer user.

How the Spymel Attacks Work

PC security researchers first received reports of Spymel attacks in early December of 2015. DigiCert revoked the Spymel certificate as soon as the first Spymel attack was reported. However, the third parties responsible for Spymel updated the certificate in less than two weeks, using a different certificate issued by the same company, SBO INVEST. This second certificate was also revoked after its use was detected. Spymel attacks may be used in multiple fronts. Spymel itself may be used as a payload downloader to deliver a variety of threats to the affected computer.

Spymel itself is a classic data collecting Trojan. The Spymel attack is relatively simple to understand:

1. After entering the affected computer, Spymel may identify the infected computer's hardware and software settings.
2. Then, Spymel may establish a connection with its Command and Control server.
3. Through this connection, Spymel may receive instructions from its controller, which may command to collect certain files or types of data.
4. Spymel may transmit the data it collects through this connection, as well as carry out a variety of other operations on the victim's computer.

Spymel may be used to record a video of the victim's computer, take screenshots, log keystrokes, and sniff out network communications. Spymel is capable of self-destructing, uninstalling itself completely to prevent PC security researchers from studying Spymel. Spymel also may download other files and execute them on the victim's computer. This allows Spymel to be used as a threat payload downloader as well as an information collecting Trojan. Spymel may include modules that give Spymel heightened capabilities to protect itself, preventing computer users or PC security researchers from closing or deleting Spymel directly, and concealing Spymel as a legitimate system file process.