Zscaler ThreatLabZ detected a new infostealer malware family dubbed Spymel that uses stolen certificates to evade detection. The bad actors behind the threat distributed the malware through spam emails containing an ZIP archive containing a downloader. The address of the command and control (C&C) is hardcoded within its code. In order to send information to the attackers, the malware connects to a remote domain android.sh(213.136.92) on port 1216. The malware infected Windows XP and Windows 7 systems, creating registry keys to gain persistence.”]
Source: http://securityaffairs.co/wordpress/43380/cyber-crime/spymel-trojan-signed-code.html