Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

APT Malware Counts Mouse Clicks to Evade Researchers

A new sophisticated threat campaign is taking an extra step to fight off malware analysis.

A new sophisticated threat campaign is taking an extra step to fight off malware analysis.

According to researchers at FireEye, the malware is monitoring mouse clicks to determine whether or not it is being analyzed in a sandbox. The technique is being used by a threat called Trojan.APT.BaneChant, which is being blasted out via a Word document laced with an exploit as part of a campaign believed by FireEye to be targeting governments in the Middle East and Central Asia.

The malware is not the first to use mouse clicks to evade efforts by researchers; however unlike past threats, the Trojan does not stop checking after detecting a single mouse click. Instead, it waits until there have been multiple clicks.

“This malware doesn’t kick into high gear immediately,” blogged FireEye researcher Ronghwa Chong. “Instead it requires an Internet connection for malicious code to be downloaded to the memory and executed. Unlike predecessors that are very obvious and immediately get to work, this malware is merely a husk and its true malicious intent could only be found in the downloaded code. This prevents forensic investigators from extracting the “true” malicious code from the disk.”

The document used in the spear-phish is in RTF format and exploits CVE 2012-0158, a Microsoft Office vulnerability.

“After opening this malicious document, it attempts to download an XOR encoded binary (using a two byte XOR key) for the stage one payload,” the researcher continued. “It was also observed that the attacker leveraged a shortened URL to “hide” malicious domains from automated analysis technologies. After investigation, the malicious domain was analyzed to be recently registered.”

“Often when malware performs its callback, the communication goes directly to the CnC [command-and-control] server,” according to Chong. “In this case, the callback goes to a legitimate URL shortening service, which would then redirect the communication to the CnC server. Automated blocking technologies are likely to block only the URL shortening service and not the CnC server.”

The majority of the malicious code however is only available after downloading the second stage payload, which is available as a fake JPEG file from the malicious server. The malicious domain is not found in the malware in the second stage. Instead the attackers use the dynamic DNS service provided by No-IP to “indirectly access the malicious domain,” he wrote.

Advertisement. Scroll to continue reading.

After the JPEG file is executed directly in the memory, it tries to fool users by disguising itself as ‘GoogleUpdate.exe’ and creates a shortcut link to the file in the startup folder [“C:ProgramDataGoogle2GoogleUpdate.exe”].

“It would look legitimate to users as it masquerades as a legitimate Google Updater,” the researcher explained. “It “would” appear normal if it attempts to access the Internet. In comparison, the real “GoogleUpdate.exe” resides in “program files” instead “program data” directory.”

 “Overall, this malware was observed to send information about the computer and set up a backdoor for remote access,” the researcher noted. “This backdoor provides the attacker the flexibility on how malicious activities could be executed.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.