Malware signed with stolen digital certificates is stealing credentials from users' web browsers, email accounts and other applications, researchers found.
Symantec security researcher Satnam Narang said the so-called Nemim malware had compromised thousands of machines since April via phishing campiagns.
Nemim emerged in 2006 and has since been upgraded with an infector, a downloader and an information-stealing component.
The infector compromised Windows “User Profile” folders and subfolders, collecting information on target computers including its operating system version and local IP address details.
The malware information-stealing component hijacked account credentials from a long list of web browsers and email applications including Internet Explorer, Firefox, Chrome, Outlook and Windows Mail.
Google Talk, Google Desktop and MSN Messenger are also applications targeted by Nemim said in a blog post.
“It's still out there and active,” told SC, adding new stolen digital certificates were being used to sign the malware as old compromised certificates were revoked.
Symantec said the unknown perpetrators behind Nemim also developed the Egobot trojan that targeted Korean business executives via spear phishing emails.
It linked the threats due to similarities in the way stolen information was encrypted and gathered by attackers. In addition, samples of Nemim and Egobot have contained a timer mechanism that allowed hackers to remove the malware from infected computers.
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
