Security researchers have detected a new malware evasion technique that uses human behaviors, downloading its payload only after it registers a series of mouse clicks from its victim.
Malware writers increasingly are adding techniques to dupe malware researchers. The latest twist, according to researchers at Milpitas, Calif.-based FireEye, builds on previous malware strains that attempt to avoid detection by hiding in Windows processes. Called BaneChant, the Trojan is believed to have been used in targeted spearphishing attacks in the Middle East and, in his analysis of the threat, FireEye malware researcher Chong Rong Hwa calls the built-in capabilities significant.
"In the past, evasion methods using mouse clicks only detected a single click, making the malware fairly easy to overcome," Hwa wrote in his analysis. "Unlike predecessors that are very obvious and immediately get to work, this malware is merely a husk and its true malicious intent could only be found in the downloaded code."
Once the malware infects a system it goes into sleep mode, waiting for an Internet connection for malicious code to be downloaded to the memory and executed, Hwa said. It then attempts to contact a remote command and control server, tricking antivirus and most intrusion prevention systems by using Ow.ly, a legitimate URL shortening service, to redirect to the server under cybercriminal control. The technique provides indirect access, defeating automated URL blacklisting, Hwa said.
BaneChant waits for three or more left mouse clicks before it proceeds to download the second and most important stage, its malicious payload. The payload, which hides in a malicious image file, then executes and masquerades as a legitimate Google Update, according to the analysis. The backdoor gives an attacker full access to the victim's PC and, like other malware, it includes the capability to uninstall itself and wipe its existence from the infected system.
The malware author tagged the malicious payload BaneChant, which Hwa recognized as the sound track composed by Hans Zimmer for the movie "The Dark Knight Rises."
"Overall, this malware was observed to send information about the computer and set up a backdoor for remote access," Hwa wrote. "This backdoor provides the attacker the flexibility on how malicious activities could be executed."
The technique of hiding behind a victim's mouse click was detected in Trojans last year. FireEye detected a click fraud Trojan in December called Upclicker, which hid itself using mouse processes. Researchers anticipated that the technique would be copied and improved upon by other malware writers. One of the goals of the evasion techniques is to lengthen the time it takes for security vendors to create signatures detecting the malware. Symantec also detected a Trojan with similar functionality. In details it released in October, Symantec said the malware remained dormant until it detected mouse routines.
PUBLISHED APRIL 2, 2013