Trojan stealing private key certificates

As you may have already noticed, malware peddlers have realized that their wares have a greater chance of being loaded by the targeted system if they are digitally signed. The recent Stuxnet worm is a good example of this rising trend.

But, where can they get these digital signatures? As the demand rises, it is inevitable that some criminals will concentrate on that particular task – and some have started already.

Symantec warns about Infostealer.Nimkey, a Trojan that is designed to collect private key certificates, keystrokes, and clipboard data and send it to a website where the authors can collect them.

This Trojan targets PKCS#12 public key certificate files, which also contain the private keys that the attackers need to steal the key owner’s signature. Spam email messages containing links to a malicious site that distributes this Trojan are the typical first step towards infection. Sometimes these messages also contain an file attachment with a .com extension in order to look like a link, but is actually malware they are tricked into running.

Another smoke-and-mirror tactic employed by this particular Trojan is the display of a form for federal tax return:

And while the user is trying to make sense of it, the Trojan goes to work and downloads other malicious files. Some of them record URLs you visit, others search for the PKCS#12 certificate files. An incorporated keylogger records keystrokes and clipboard data. And then it all gets shipped to a server in China.