Malware using legit certs to avoid detection, surveil users

A new malware family uses compromised digital certificates to avoid detection and surveils infected devices' activities.
A new malware family uses compromised digital certificates to avoid detection and surveils infected devices' activities.

Researchers discovered a new malware family that uses compromised digital certificates to avoid detection and that then surveils the infected device's activity and send the information to the attacker. The attackers use a targeted phishing campaign containing attachments that contain malicious JavaScript files contained in a ZIP archive, according to Zscaler's ThreatLabZ.

The Trojan malware family, dubbed by the researchers as Spymel, is difficult to detect, since the ZIP archives use legitimate certificates that were issued by DigiCert, wrote Zscaler's ThreatLabZ researchers Tarun Dewan and Amandeep Kumar on the company's blog. The original certificate was revoked by the DigiCert. “We noticed a newer variant arose within two weeks of the first variant, using another certificate issued to ‘SBO INVEST' that is also revoked,” wrote the researchers.

“There are a lot of security vendors who do not perform SSL inspection. You have to do SSL man in the middle inspection,” Zscaler head of security research Deepen Desai told SCMagazine.com. “A lot of these advanced attacks are multi-stage attacks trying to exploit this scenario.”

Once executed, the code logs user keystrokes and prevents the user from terminating the malware through system tools like TaskMgr, Procexp, ProcessHacker and Taskkill.

The campaign appears to be consistent with a trend of malware that load executable files to execute commands on infected devices.

“Any vendor examining for malicious executable content over the network traffic should be able to detect the malware,” Desai told SCMagazine.com. The attack was over HTTP, not over SSL, he explained.

In a report published by Menlo Security, the company found that one in three of the top Alexa-ranked websites are either already compromised or running vulnerable software and at risk of being compromised. Six percent of websites were identified as serving malware, spam or botnet attacks.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS