Spymel Malware Uses a Digital Certificate

Spymel is the latest malware, which uses a digital certificate signed by DigiCert to attack systems, reported the security seller Zscaler.

The trojan infection takes place by attackers issuing a JavaScript file as an email attachment. As soon as the user opens the file, it is downloaded and installed on the virtual machine. However, as the file has been digitally signed by a trusted company, no red flags are raised, which makes it a particularly dangerous vulnerability.

Certificate used to sign Spymel
Certificate used to sign Spymel

Being installed on the machine, Spymel watches the Task Manager, Process Explorer and other key applications and logs keystrokes to break into computers and the networks they’re connected to. After that, this information is fed back to the malware’s developer.

Despite the fact that DigiCert has already revoked the certificate, both, hackers and criminals use increasingly sophisticated methods to access users’ computers.

Director of the security research at Zscaler claims that, “the digital certificate will give a false sense of authenticity to the end user especially when the certificate belongs to a legitimate software vendor”.

This approach also helps malware authors in evading detection as it is common for security vendors to bypass advanced heuristic checks for payloads that are signed using legitimate trusted certificates,” he stated.

Despite being used in the past to install spyware and adware payloads, such methods are considered as a relatively new trend when it comes to malware.

Compromising authentication, from passwords to certificates, is a tried and true method for cybercriminals across the globe,” stated Tim Erlin, director of security and product management at Tripwire added.

The reality of compromised authentication is what drives ‘trust but verify’ and ‘defense in depth’ models. If you put all your security eggs in one basket, someone else is going to make a data omelet with them.”

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.