The downloaded malware executable is a highly obfuscated .NET binary, which is digitally signed with a certificate issued to “SBO INVEST”. The certificate was promptly revoked by DigiCert when notified and, therefore, is not active in any attack. We noticed a newer variant arose within two weeks of the first variant, using another certificate issued to “SBO INVEST’ that is also revoked.
Spymel drops itself as “svchost.exe” and “Startup32.1.exe” in the following locations of Windows OS. It also creates registry entries to be persistent.
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run @ Sidebar(32.1)
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run @ Sidebar(32.1)
Spymel connects to a remote Command & Conquer server to send collected data. The malware also has ability to receive additional commands like video capture, screenshot, send and receive files. It can typically record key strokes. The program has a ProtectMe mechanism to prevent itself being terminated from command line.
You can protect your system from this kind of malwares by using a strong security application. Updating the applications and Operating System is important too. Hesitating to click and open strange emails is strongly recommended. The Spam mailers are trying to use the curiosity of people and leveraging social engineering to infect the target systems.