Egobot and Nemim: two evolved trojans

Egobot and Nemim: two evolved trojans

Egobot

Backdoor.Egobot is a Trojan used in campaigns targeting Korean interests. The execution of the campaigns is straightforward and effective. Symantec data indicates the campaigns have been in operation since 2009. Egobot has continuously evolved by adding newer functionalities. The attackers use the four golden rules of a targeted campaign:

  1. Identify targets
  2. Exploit targets (in order to drop the payload)
  3. Perform malicious activity (in this case, stealing information)
  4. Remain undetected

Symantec have also uncovered a parallel campaign that has been in operation as early as 2006, which we will cover in another blog.

Egobot targets

Egobot is targeted at executives working for Korean companies and also at executives doing business with Korea. Industries targeted with Egobot include:

  • Finance and investment
  • Infrastructure and development
  • Government agencies
  • Defense contractors

Targets are located around the globe and include Korea, Australia, Russia, Brazil, and the United States.

Nemim

The cybercriminals behind Egobot may also have developed Infostealer.Nemim for a more widespread and prevalent campaign. Despite a difference in scope, both threats steal information from compromised computers and there are indications these two threats originate from the same source.
Nemim components

Symantec detected Nemim in the wild as early as the fall of 2006. One of the earliest samples contained a timer mechanism to determine when to remove itself from the compromised computer. Removal was conditional and tied to a fixed date or based on the number of times the sample was executed. The timer mechanism feature was also found in samples of Egobot.

The Nemim samples we analyzed were digitally signed with stolen certificates and, over time, the malware was updated with three components:

  1. Infector component
  2. Downloader component
  3. Information stealer component

Infector component

The infector component is designed to infect executables in specific folders. In particular, the infector targets the %UserProfile% folder and all of its subfolders.

Infection is not sophisticated. Nemim copies itself into a new section named .rdat added at the bottom of the infected file. The original entry point of the infected file is altered in order to point to the Nemim code in the .rdat section. The infection code is responsible for decrypting, dropping, and running an embedded executable file in the following path:

  • %AllUsersProfile%\Application Data\Microsoft\Display\igfxext.exe

This executed file is the downloader component.
Downloader component

The downloader component acts as a wrapper for an encrypted executable. After decryption, the encrypted executable is loaded dynamically. This encrypted executable file contains the actual downloader functionality. However, before downloading, the malware harvests the following system information from the compromised computer:

  • Computer name
  • User name
  • CPU name
  • Operating system version
  • Number of USB devices
  • Local IP address
  • MAC address

image1_13.png

Figure 1. System information harvested by Infostealer.Nemim from compromised computers
This harvested information is encrypted, converted to Base64, and sent to the command-and-control (C&C) server, just like Egobot. The harvested information is viewable on the C&C server in an unencrypted format. For instance, the P2Pdetou variable shows computer name and user name: [COMPUTER NAME]@[USER NAME]. The server then responds with basic commands, including a payload that is dropped and executed. The downloader then expects the server to respond with a “minmei” string accompanied by the following commands:

  • up
  • re
  • no

The up command, for instance, indicates that the downloaded data contains an executable payload that the downloader will decrypt and run.
Information stealer component

The Information stealer component can steal stored account credentials from the following applications:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome
  • Microsoft Outlook
  • Outlook Express
  • Windows Mail
  • Windows Live Mail
  • Gmail Notifier
  • Google Desktop
  • Google Talk
  • MSN Messenger

The information stealer sends stolen data back to the C&C server and, like the downloader, expects a “minmei” string in response.
Geographical distribution and protection

Japan and the United States are the main targets of Nemim, followed by India and the United Kingdom.
image2_3.jpeg

Figure 2. Infostealer.Nemim geographical distribution

The information comes from symantec