Skip to main content

Spymel Uses Digital Certificate to Gain Trust

Security vendor Zscaler has revealed that the Spymel malware is using a digital certificate signed by DigiCert to attack systems.

The way the infection works is that the attackers issue a JavaScript file as an email attachment. When the user clicks on the file, it is downloaded and installed. The difference here is that because the file has been digitally signed by a trusted company, no red flags are raised and the malware is installed without any further notifications to the user, this of course makes it a particularly dangerous vulnerability.

Once installed, the malware, named Spymel watches the Task Manager, Process Explorer and other key applications and logs keystrokes to break into computers and the networks they're connected to. This information is then fed back to the malware's developer.

Although DigiCert has now revoked the certificate, the use of digital certificates to evade OS security mechanisms demonstrates that hackers and criminals are using increasingly sophisticated methods to access users' computers.

As Deepen Desai, director of security research at Zscaler explained, “The digital certificate will give a false sense of authenticity to the end user especially when the certificate belongs to a legitimate software vendor. This approach also helps malware authors in evading detection as it is common for security vendors to bypass advanced heuristic checks for payloads that are signed using legitimate trusted certificates,” he said.

Although such techniques have been used in the past to install spyware and adware payloads, it is a relatively new trend when it comes to malware.


“Why break in when you can steal a key? Compromising authentication, from passwords to certificates, is a tried and true method for cybercriminals across the globe," Tim Erlin, director of security and product management at Tripwire added.

Image source: Shutterstock/Gunnar Assmy