A new sophisticated threat campaign is taking an extra step to fight off malware analysis.
According to researchers at FireEye, the malware is monitoring mouse clicks to determine whether or not it is being analyzed in a sandbox. The technique is being used by a threat called Trojan.APT.BaneChant, which is being blasted out via a Word document laced with an exploit as part of a campaign believed by FireEye to be targeting governments in the Middle East and Central Asia.
The malware is not the first to use mouse clicks to evade efforts by researchers; however unlike past threats, the Trojan does not stop checking after detecting a single mouse click. Instead, it waits until there have been multiple clicks.
“This malware doesn’t kick into high gear immediately,” blogged FireEye researcher Ronghwa Chong. “Instead it requires an Internet connection for malicious code to be downloaded to the memory and executed. Unlike predecessors that are very obvious and immediately get to work, this malware is merely a husk and its true malicious intent could only be found in the downloaded code. This prevents forensic investigators from extracting the “true” malicious code from the disk.”
The document used in the spear-phish is in RTF format and exploits CVE 2012-0158, a Microsoft Office vulnerability.
“After opening this malicious document, it attempts to download an XOR encoded binary (using a two byte XOR key) for the stage one payload,” the researcher continued. “It was also observed that the attacker leveraged a shortened URL to “hide” malicious domains from automated analysis technologies. After investigation, the malicious domain was analyzed to be recently registered.”
“Often when malware performs its callback, the communication goes directly to the CnC [command-and-control] server,” according to Chong. “In this case, the callback goes to a legitimate URL shortening service, which would then redirect the communication to the CnC server. Automated blocking technologies are likely to block only the URL shortening service and not the CnC server.”
The majority of the malicious code however is only available after downloading the second stage payload, which is available as a fake JPEG file from the malicious server. The malicious domain is not found in the malware in the second stage. Instead the attackers use the dynamic DNS service provided by No-IP to “indirectly access the malicious domain,” he wrote.
After the JPEG file is executed directly in the memory, it tries to fool users by disguising itself as ‘GoogleUpdate.exe’ and creates a shortcut link to the file in the startup folder [“C:ProgramDataGoogle2GoogleUpdate.exe”].
“It would look legitimate to users as it masquerades as a legitimate Google Updater,” the researcher explained. “It “would” appear normal if it attempts to access the Internet. In comparison, the real “GoogleUpdate.exe” resides in “program files” instead “program data” directory.”
“Overall, this malware was observed to send information about the computer and set up a backdoor for remote access,” the researcher noted. “This backdoor provides the attacker the flexibility on how malicious activities could be executed.”