Contributor: Satnam Narang
Previously we blogged about Backdoor.Egobot and outlined how it targets specific industries while maintaining a low profile. The cybercriminals behind Egobot may also have developed Infostealer.Nemim for a more widespread and prevalent campaign. Despite a difference in scope, both threats steal information from compromised computers and there are indications these two threats originate from the same source.
Nemim components
Symantec detected Nemim in the wild as early as the fall of 2006. One of the earliest samples contained a timer mechanism to determine when to remove itself from the compromised computer. Removal was conditional and tied to a fixed date or based on the number of times the sample was executed. The timer mechanism feature was also found in samples of Egobot.
The Nemim samples we analyzed were digitally signed with stolen certificates and, over time, the malware was updated with three components:
- Infector component
- Downloader component
- Information stealer component
Infector component
The infector component is designed to infect executables in specific folders. In particular, the infector targets the %UserProfile% folder and all of its subfolders.
Infection is not sophisticated. Nemim copies itself into a new section named .rdat added at the bottom of the infected file. The original entry point of the infected file is altered in order to point to the Nemim code in the .rdat section. The infection code is responsible for decrypting, dropping, and running an embedded executable file in the following path:
- %AllUsersProfile%\Application Data\Microsoft\Display\igfxext.exe
This executed file is the downloader component.
Downloader component
The downloader component acts as a wrapper for an encrypted executable. After decryption, the encrypted executable is loaded dynamically. This encrypted executable file contains the actual downloader functionality. However, before downloading, the malware harvests the following system information from the compromised computer:
- Computer name
- User name
- CPU name
- Operating system version
- Number of USB devices
- Local IP address
- MAC address
Figure 1. System information harvested by Infostealer.Nemim from compromised computers
This harvested information is encrypted, converted to Base64, and sent to the command-and-control (C&C) server, just like Egobot. The harvested information is viewable on the C&C server in an unencrypted format. For instance, the P2Pdetou variable shows computer name and user name: [COMPUTER NAME]@[USER NAME]. The server then responds with basic commands, including a payload that is dropped and executed. The downloader then expects the server to respond with a “minmei” string accompanied by the following commands:
The up command, for instance, indicates that the downloaded data contains an executable payload that the downloader will decrypt and run.
Information stealer component
The Information stealer component can steal stored account credentials from the following applications:
- Internet Explorer
- Mozilla Firefox
- Google Chrome
- Microsoft Outlook
- Outlook Express
- Windows Mail
- Windows Live Mail
- Gmail Notifier
- Google Desktop
- Google Talk
- MSN Messenger
The information stealer sends stolen data back to the C&C server and, like the downloader, expects a “minmei” string in response.
Geographical distribution and protection
Japan and the United States are the main targets of Nemim, followed by India and the United Kingdom.
Figure 2. Infostealer.Nemim geographical distribution
Symantec detects all the components of these threats to protect customers from attacks:
Nemim and Egobot connection
Analysis of the Nemim binaries revealed a connection to Backdoor.Egobot due to several similarities found in both threats.
|
|
Nemim
|
Egobot
|
|
Information gathered in specific formats using specific tags
|
Sys@User : %s@%s (%s)
C P U : %s
System OS: %s (%s)
Net card : %s(%s)
|
Sys@User : %s@%s (%s)
C P U : %s
System OS: %s (%s)
Net card : %s(%s)
|
|
Information encryption
|
Encrypted and Base64 encoded
|
Encrypted and Base64 encoded
|
|
C&C communication format
|
[URL/IP]/[PATH]/[FILE].php?a1=
%s&a2=%s&a3=%s
|
[URL/IP]/[PATH]/[FILE].php?arg1=
%s&arg2=%s&arg3=%s
|
|
Code injection technique
|
Microsoft Detours functionality
(early versions)
|
Microsoft Detours functionality
(all versions)
|
Table 1. Similarities between Nemim and Egobot
Based on these similarities and the overlapping timelines of both the campaigns it is apparent that Nemim and Egobot come from the same source.
Potential for a new campaign
Nemim continues to operate today and has effectively evolved over time. For instance, the string encryption has become non-trivial, stolen digital certificates have been upgraded with newer ones, and there are now checks in place to detect common virtual machines. Indeed, for the last seven years the attackers have shown an unwavering commitment to innovation and have developed malware that is adaptable to fit the needs of two different attack campaigns. We expect this innovate trend will continue with a high potential for new campaigns.
