Nemim Malware

[What]
Nemim malware includes:
- infection
- downloading
- data-stealing components.

[When]
This malware has been spreading since April 2013 and has compromised thousands of computers.

[Where]
The victims have been primarily concentrated in U.S. and Japan.
A smaller number of infections have been detected in India and U.K.

[How]
It spreads through phishing emails and uses stolen digital certificates.
The infector targets Microsoft users by compromising victims' files in the "User Profile" folder and its subfolders.
Before Nemim downloads itself on victims' machines, it collects details about the infected computer, such as its name, operating system version, local IP address and other details.
Once downloaded, it engages its information-stealing components to hijack account credentials from web browsers and email applications (i.e. Internet Explorer, Firefox, Chrome, Outlook, Windows Mail, Google Talk, Google Desktop and MSN Messenger).

Symantec believes that the perpetrators behind Nemim also developed a data-stealing trojan called Egobot, which has been used to target executives at Korean companies via spear phising emails, ruses crafted for specific individuals at organizations.
There are similarites between Nemim and Egobot:
- similarities in the way stolen information was encrypted and gathered by attackers
- both contained a timer mechanism that allowed hackers to remove the malware from infected computers.

[References]
Hackers compromise certs to spread Nemim malware, which hijacks email and browser data http://www.scmagazine.com/hackers-compromise-certs-to-spread-nemim-malware-which-hijacks-email-and-browser-data/article/316607/