Researchers in Zscaler -cyber security firm from US, discovered a new type of malware named Spymel. The analysis has been published in ThreadlabZ website by Tarun Dewan and Amandeep Kumar.

Spymel Malware

Spymel seems like an harmless .NET executable signed with a legitimate DigiCert issued certificate. It is stated that the infection cycle typically starts with a malicious JavaScript file that arrives in a ZIP archive via e-mail attachment. Once the user opens the JavaScript file, it will download and install the malware executable on the victim machine.

The first malicious JavaScript file is not obfuscated. When it began to run, it starts to download Spymel from a remote location. The remote URL is hard coded in the program codes of the Javascript. You can see it in Picture.

Javascript Code of Spymel Malware

Javascript Code of Spymel Malware

The downloaded malware executable is a highly obfuscated .NET binary, which is digitally signed with a certificate issued to “SBO INVEST”. The certificate was promptly revoked by DigiCert when notified and, therefore, is not active in any attack. We noticed a newer variant arose within two weeks of the first variant, using another certificate issued to “SBO INVEST’ that is also revoked.
Spymel drops itself as “svchost.exe” and “Startup32.1.exe” in the following locations of Windows OS. It also creates registry entries to be persistent.

Spymel connects to a remote Command & Conquer server to send collected data. The malware also has ability to receive additional commands like video capture, screenshot, send and receive files. It can typically record key strokes. The program has a ProtectMe mechanism to prevent itself being terminated from command line.

You can protect your system from this kind of malwares by using a strong security application. Updating the applications and Operating System is important too. Hesitating to click and open strange emails is strongly recommended. The Spam mailers are trying to use the curiosity of people and leveraging social engineering to infect the target systems.