Hackers compromise certs to spread Nemim malware, which hijacks email and browser data

Share this article:
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.

Malware dubbed “Nemin” is being used to steal credentials from users' web browsers, email accounts and other applications, researchers found.

According to Satnam Narang, a security researcher at Symantec, who co-authored a blog post on Tuesday about the Nemim campaign, recent samples of the malware were digitally signed with stolen certificates to infect users.

In a Wednesday interview with SCMagazine.com, Narang also revealed that, since April, thousands of machines had been compromised with Nemim – and infections continue to surface.

First detected in the fall of 2006 by Symantec's team, Nemim has been updated with three features: an infector, a downloader and an information-stealing component, he said. Users usually receive the payload via phishing emails.

The infector component targets Microsoft users by compromising victims' files in the “User Profile” folder and its subfolders. Before Nemim downloads itself on victims' machines, it collects details about the infected computer, such as its name, operating system version, local IP address and other details, Narang's blog post said.

Once downloaded, the malware engages its information-stealing component, which is designed to hijack account credentials from a long list of web browsers and email applications, including Internet Explorer, Firefox, Chrome, Outlook and Windows Mail.

Google Talk, Google Desktop and MSN Messenger are also applications targeted by Nemim, the blog post revealed.

“It's still out there and active,” Narang warned in a follow-up interview, later adding that Nemim attackers have “used stolen certificates in the past, and are still using them today.” As compromised certs are reported or revoked – or simply expire – saboteurs move on by targeting new digital certificates, Narang explained.  

While victims of Nemim have primarily been concentrated in the U.S. and Japan, a smaller number of infections have been detected in India and the U.K., Symantec found.

Researchers have not determined from where the attackers are operating, but Symantec believes the perpetrators behind Nemim also developed a data-stealing trojan called Egobot, which has been used to target executives at Korean companies via spear phishing emails, ruses crafted for specific individuals at organizations.

Symantec linked the threats due to similarities in the way stolen information was encrypted and gathered by attackers. In addition, samples of Nemim and Egobot have contained a timer mechanism that allowed hackers to remove the malware from infected computers.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.