Compromised certs spread email and browser -jacking malware

By on
Compromised certs spread email and browser -jacking malware

New certs stolen as old ones revoked.

Malware signed with stolen digital certificates is stealing credentials from users' web browsers, email accounts and other applications, researchers found.

Symantec security researcher Satnam Narang said the so-called Nemim malware had compromised thousands of machines since April via phishing campiagns.

Nemim emerged in 2006 and has since been upgraded with an infector, a downloader and an information-stealing component.

The infector compromised Windows “User Profile” folders and subfolders, collecting information on target computers including its operating system version and local IP address details.

The malware information-stealing component hijacked account credentials from a long list of web browsers and email applications including Internet Explorer, Firefox, Chrome, Outlook and Windows Mail.

Google Talk, Google Desktop and MSN Messenger are also applications targeted by Nemim said in a blog post.

“It's still out there and active,” told SC, adding new stolen digital certificates were being used to sign the malware as old compromised certificates were revoked.

Symantec said the unknown perpetrators behind Nemim also developed the Egobot trojan that targeted Korean business executives via spear phishing emails.

It linked the threats due to similarities in the way stolen information was encrypted and gathered by attackers. In addition, samples of Nemim and Egobot have contained a timer mechanism that allowed hackers to remove the malware from infected computers.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?