Trojan Egobot’s Perpetrators also behind Nemim Campaign
Researchers from Symantec the security company, keeping watch over one cyber-crime operation, which utilizes Egobot a Trojan aiming at South Korea-situated organizations starting 2009, have found that this malware's perpetrators are as well behind a still far widespread as also an ongoing campaign, which uses another threat namely Infostealer.Nemim.
Nemim, reportedly, was first spotted in 2006 autumn and since then been afloat. The info-stealing Trojan is chiefly utilized for filching account credentials to access software namely Chrome, Firefox, Internet Explorer, Gmail Notifier, Windows Mail, Outlook, Google Desktop, MSN Messenger and Google Talk.
Apparently, Nemim's key targets are situated in Japan and USA. Nevertheless, it has been found infecting targets in UK and India as well.
The malware comprises 3 elements: one information stealer, one downloader and one infector. The infector, which isn't really refined, just decrypts content delivered as also executes one .exe file, which is actually the downloader.
Working like a wrapper, this downloader hides the .exe file, which earlier encrypted, is installed dynamically following its decoding. The executable supports the true downloader functionality so as to reinstate the info-stealing element.
But, prior to downloading, the threat collects things from hijacked PCs following system details. These collected things include names of PC and CPU; user id; number of USB tools, OS version, MAC address and local Internet Protocol address.
The collected details are encrypted, changed into Base64, as also transmitted to a central C&C (command-and-control) infrastructure, similar as Trojan Egobot. On this infrastructure, the transmitted data is seen in un-encoded form.
When researchers analyzed Nemim they found it connected to Backdoor.Egobot because of many common features discovered within both malware programs, such as data collected in special forms utilizing particular tags, a particular style of C&C interaction, information that's encrypted, as well as same code-injection method.
Considering all these commonalities along with their overlapping timelines, it seems Egobot and Nemim have an identical delivery source.
Nemim is still prevalent after going through an evolution, like string encryption is no longer significant, digital certificates after being stolen are now upgraded, as well as checks introduced so ordinary virtual devices can be identified.
» SPAMfighter News - 23-10-2013