The Trojan malware family, dubbed by the researchers as Spymel, is difficult to detect, since the ZIP archives use legitimate certificates that were issued by DigiCert, wrote Zscaler’s ThreatLabZ researchers Tarun Dewan and Amandeep Kumar on the company’s blog. The original certificate was revoked by the DigiCert. “We noticed a newer variant arose within two weeks of the first variant, using another certificate issued to ‘SBO INVEST’ that is also revoked,” wrote the researchers.
“There are a lot of security vendors who do not perform SSL inspection. You have to do SSL man in the middle inspection,” Zscaler head of security research Deepen Desai told SCMagazine.com. “A lot of these advanced attacks are multi-stage attacks trying to exploit this scenario.”
Once executed, the code logs user keystrokes and prevents the user from terminating the malware through system tools like TaskMgr, Procexp, ProcessHacker and Taskkill.
“Any vendor examining for malicious executable content over the network traffic should be able to detect the malware,” Desai told SCMagazine.com. The attack was over HTTP, not over SSL, he explained.
In a report published by Menlo Security, the company found that one in three of the top Alexa-ranked websites are either already compromised or running vulnerable software and at risk of being compromised. Six percent of websites were identified as serving malware, spam or botnet attacks.