Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

APT Malware Counts Mouse Clicks to Evade Researchers

A new sophisticated threat campaign is taking an extra step to fight off malware analysis.

A new sophisticated threat campaign is taking an extra step to fight off malware analysis.

According to researchers at FireEye, the malware is monitoring mouse clicks to determine whether or not it is being analyzed in a sandbox. The technique is being used by a threat called Trojan.APT.BaneChant, which is being blasted out via a Word document laced with an exploit as part of a campaign believed by FireEye to be targeting governments in the Middle East and Central Asia.

The malware is not the first to use mouse clicks to evade efforts by researchers; however unlike past threats, the Trojan does not stop checking after detecting a single mouse click. Instead, it waits until there have been multiple clicks.

“This malware doesn’t kick into high gear immediately,” blogged FireEye researcher Ronghwa Chong. “Instead it requires an Internet connection for malicious code to be downloaded to the memory and executed. Unlike predecessors that are very obvious and immediately get to work, this malware is merely a husk and its true malicious intent could only be found in the downloaded code. This prevents forensic investigators from extracting the “true” malicious code from the disk.”

The document used in the spear-phish is in RTF format and exploits CVE 2012-0158, a Microsoft Office vulnerability.

“After opening this malicious document, it attempts to download an XOR encoded binary (using a two byte XOR key) for the stage one payload,” the researcher continued. “It was also observed that the attacker leveraged a shortened URL to “hide” malicious domains from automated analysis technologies. After investigation, the malicious domain was analyzed to be recently registered.”

“Often when malware performs its callback, the communication goes directly to the CnC [command-and-control] server,” according to Chong. “In this case, the callback goes to a legitimate URL shortening service, which would then redirect the communication to the CnC server. Automated blocking technologies are likely to block only the URL shortening service and not the CnC server.”

The majority of the malicious code however is only available after downloading the second stage payload, which is available as a fake JPEG file from the malicious server. The malicious domain is not found in the malware in the second stage. Instead the attackers use the dynamic DNS service provided by No-IP to “indirectly access the malicious domain,” he wrote.

After the JPEG file is executed directly in the memory, it tries to fool users by disguising itself as ‘GoogleUpdate.exe’ and creates a shortcut link to the file in the startup folder [“C:ProgramDataGoogle2GoogleUpdate.exe”].

“It would look legitimate to users as it masquerades as a legitimate Google Updater,” the researcher explained. “It “would” appear normal if it attempts to access the Internet. In comparison, the real “GoogleUpdate.exe” resides in “program files” instead “program data” directory.”

 “Overall, this malware was observed to send information about the computer and set up a backdoor for remote access,” the researcher noted. “This backdoor provides the attacker the flexibility on how malicious activities could be executed.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.