Hackers compromise certs to spread Nemim malware, which hijacks email and browser data


Malware dubbed “Nemin” is being used to steal credentials from users' web browsers, email accounts and other applications, researchers found.

According to Satnam Narang, a security researcher at Symantec, who co-authored a blog post on Tuesday about the Nemim campaign, recent samples of the malware were digitally signed with stolen certificates to infect users.

In a Wednesday interview with, Narang also revealed that, since April, thousands of machines had been compromised with Nemim – and infections continue to surface.

First detected in the fall of 2006 by Symantec's team, Nemim has been updated with three features: an infector, a downloader and an information-stealing component, he said. Users usually receive the payload via phishing emails.

The infector component targets Microsoft users by compromising victims' files in the “User Profile” folder and its subfolders. Before Nemim downloads itself on victims' machines, it collects details about the infected computer, such as its name, operating system version, local IP address and other details, Narang's blog post said.

Once downloaded, the malware engages its information-stealing component, which is designed to hijack account credentials from a long list of web browsers and email applications, including Internet Explorer, Firefox, Chrome, Outlook and Windows Mail.

Google Talk, Google Desktop and MSN Messenger are also applications targeted by Nemim, the blog post revealed.

“It's still out there and active,” Narang warned in a follow-up interview, later adding that Nemim attackers have “used stolen certificates in the past, and are still using them today.” As compromised certs are reported or revoked – or simply expire – saboteurs move on by targeting new digital certificates, Narang explained.  

While victims of Nemim have primarily been concentrated in the U.S. and Japan, a smaller number of infections have been detected in India and the U.K., Symantec found.

Researchers have not determined from where the attackers are operating, but Symantec believes the perpetrators behind Nemim also developed a data-stealing trojan called Egobot, which has been used to target executives at Korean companies via spear phishing emails, ruses crafted for specific individuals at organizations.

Symantec linked the threats due to similarities in the way stolen information was encrypted and gathered by attackers. In addition, samples of Nemim and Egobot have contained a timer mechanism that allowed hackers to remove the malware from infected computers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.