Decrypts new information, steals Trojans, and Spymel

Decrypts new information, steals Trojans, and Spymel

Recently, the ThreatLabZ security research team found a new family of Trojans, Spymel, which aims to steal information and evade detection by using valid digital certificates.
Trojan Introduction
The infection cycle begins with a malicious JavaScript file, which is hidden in the ZIP compressed file of the email attachment. Once you open the JavaScript file, the executable installation package of malware will be automatically downloaded and installed on the target machine.
The study found that the JavaScript file does not use a obfuscation algorithm, and malicious links can be easily discovered. The executable installation package of the Spymel Trojan is downloaded remotely from the hard-coded link, i.

Hardcoded URL Screen
Analysis Process
The downloaded executable installation packages are highly obfuscated.. NET binary file and use the Certificate Signature issued to sbo invest. When this problem is found, the DigiCert that receives the notification immediately revokes the certificate. But two weeks later, a new variant appeared, using another revoked certificate from sbo invest.

Spymel Certificate
Spymel's payload hash value:
4E86F05B4F533DD216540A98591FFAC2
2B52B5AA33A0A067C34563CC3010C6AF
Spymel's presence in the form of “svchost.exe133 or “startup32.1.exe on the lower platform:
WinXP
% Application Data % \ ProgramFiles (32.1) \ svchost.exe
% User % \ Start Menu \ Programs \ Startup \ Startup32.1.exe
Win7
% AppData % \ Roaming \ ProgramFiles (32.1) \ svchost.exe
% AppData % \ Roaming \ Microsoft \ Windows \ StartMenu \ Programs \ Startup \ Startup32.1.exe
After Spymel is installed, the following registry is created to ensure continuous infection:
WinXP
HKEY_USERS \ Software \ Microsoft \ Windows \ CurrentVersion \ Run @ Sidebar (32.1)
HKEY_USERS \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ StartupApproved \ Run @ Sidebar (32.1)
Win7
HKEY_USERS \ Software \ Microsoft \ Windows \ CurrentVersion \ Run Sidebar (32.1)
HKEY_USERS \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ StartupApproved \ Run Sidebar (32.1)
The configuration data of Spymel includes the Command & Control Server and File & Registry information, which are hardcoded In the executable installation package. 3:

Spymel configuration data
The analysis shows that the installation package contains the following modules:
1. Keylogging Module
This module records the user's keyboard information in the log file (location: % Application Data % \ ProgramFiles (32.1) \ svchost.exe. tmp ). For the corresponding class "kyl" of this module ":

Keylogging code
2. ProtectMe Module
This module prevents the user from terminating the malware and disables the "OK" button in the confirmation prompt. The Taskkill command does not work as expected. For the class "ProtectMe" corresponding to this module ":

ProtectMe code
Information theft
The malware monitors applications like Task Manager. It uses the GetForegroundWindow () API to obtain the handle of the active window and change its function.
Spymel uses port 1216 to connect to the remote domain android. sh (213.136.92.111). Once the connection succeeds, it starts to send information about the active process window. The following table lists the commands that the Command & Control server sends to the malware:

The file content sent by malware is encrypted using base64 encoding to record the code of the browser to play the video:

Record the code of the browser to play the video
Summary
Currently, the use of digital certificates to disguise malware has become a common method. Spymel is one of them. With the help of social engineering, attackers can send emails to the target, causing infection and further stealing sensitive information. Spymel will monitor user behavior and forward it to attackers. For normal end users, the link in the email is the best way to protect themselves from Spymel Trojans. After all, the link used by the email is well recognized.