14 DAY TRIAL // Symantec researchers have been monitoring a cybercriminal campaign that uses the Trojan Egobot to target South Korea-related entities since 2009. However, experts believe that the same group is also responsible for an even more widespread and prevalent campaign that relies on Infostealer.Nemim.
The information stealing Trojan Nemim has been around since as early as the fall of 2006. It has been mainly used to steal account credentials for applications such as Internet Explorer, Firefox, Chrome, Outlook, Windows Mail, Gmail Notifier, Google Talk, MSN Messenger and Google Desktop.
The main targets of Nemim appear to be located in the United States and Japan. However, infections have also been spotted in India and the United Kingdom.
The threat has three components: an infector, a downloader and an information stealer. The infector is not sophisticated. It simply decrypts, drops and runs an embedded executable file that represents the downloader component.
The downloader acts as a wrapper for an encrypted executable which is loaded dynamically after it’s decrypted. This executable holds the actual downloader functionality responsible for retrieving the information stealer component.
However, before this function is triggered, several pieces of information are harvested from the infected computer, including computer name, username, CPU name, OS version, number of USB devices, IP address and MAC address. The information is encrypted and sent back to a command and control (C&C) server.
Researchers have identified several similarities between Egobot and Nemim, including the code injection technique, the C&C communication format, encryption, and the way information is harvested.
In addition, a timer mechanism that commands the threats to delete themselves at a certain date has been found in both Egobot and earlier samples of Nemim.
Additional details on Nemim and its apparent connections to Egobot can be found on Symantec’s blog.