Malware writers increasingly are adding techniques to dupe malware researchers. The latest twist, according to researchers at Milpitas, Calif.-based FireEye, builds on previous malware strains that attempt to avoid detection by hiding in Windows processes. Called BaneChant, the Trojan is believed to have been used in targeted spearphishing attacks in the Middle East and, in his analysis of the threat, FireEye malware researcher Chong Rong Hwa calls the built-in capabilities significant.
"In the past, evasion methods using mouse clicks only detected a single click, making the malware fairly easy to overcome," Hwa wrote in his analysis. "Unlike predecessors that are very obvious and immediately get to work, this malware is merely a husk and its true malicious intent could only be found in the downloaded code."
[Related: 6 Signs You've Been Sucked Into A Facebook Scam ]
Once the malware infects a system it goes into sleep mode, waiting for an Internet connection for malicious code to be downloaded to the memory and executed, Hwa said. It then attempts to contact a remote command and control server, tricking antivirus and most intrusion prevention systems by using Ow.ly, a legitimate URL shortening service, to redirect to the server under cybercriminal control. The technique provides indirect access, defeating automated URL blacklisting, Hwa said.
BaneChant waits for three or more left mouse clicks before it proceeds to download the second and most important stage, its malicious payload. The payload, which hides in a malicious image file, then executes and masquerades as a legitimate Google Update, according to the analysis. The backdoor gives an attacker full access to the victim's PC and, like other malware, it includes the capability to uninstall itself and wipe its existence from the infected system.
The malware author tagged the malicious payload BaneChant, which Hwa recognized as the sound track composed by Hans Zimmer for the movie "The Dark Knight Rises."
"Overall, this malware was observed to send information about the computer and set up a backdoor for remote access," Hwa wrote. "This backdoor provides the attacker the flexibility on how malicious activities could be executed."
The technique of hiding behind a victim's mouse click was detected in Trojans last year. FireEye detected a click fraud Trojan in December called Upclicker, which hid itself using mouse processes. Researchers anticipated that the technique would be copied and improved upon by other malware writers. One of the goals of the evasion techniques is to lengthen the time it takes for security vendors to create signatures detecting the malware. Symantec also detected a Trojan with similar functionality. In details it released in October, Symantec said the malware remained dormant until it detected mouse routines.
PUBLISHED APRIL 2, 2013
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

Carbonite
Cloud Storage 360

Application Integration 360

Tenable
Cyber Risk 360

NPD
Industry Trends 360

Channel Chief Showcase

Smart 3rd Party
3rd Party Maintenance 360

Cradlepoint
5g for Business 360

Cato Networks
SASE & SD-WAN 360

Trend Micro
Trend Micro Learning Center

HubStor
Cloud Backup 360

CyberPower
CyberPower

Veeam
Veeam

Comcast Business
Comcast Business Learning Center

CRN Showcase

APC by Schneider Electric
Digital Services for Edge Learning Center

Dell Technologies
Dell Technologies Server Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Cyber Protection 360

VMware

EPOS
EPOS

Sophos
Sophos Cybersecurity Learning Center

iboss
Cloud SASE Platform 360

Vonage
Vonage

Sherweb
Sherweb

Vertiv
Edge Computing Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

Fujifilm
Fujifilm

BlackBerry
BlackBerry Learning Center

Acer
Remote Workforce 360

Webroot
Webroot Learning Center

Comm100
Collaboration & Communications 360

Partner Program Guide Showcase

Wasabi
Wasabi

Dell Technologies
Microsoft HCI Solutions from Dell Technologies Learning Center

Hitachi Vantara
Hitachi Vantara

eSentire
Managed Detection and Response 360
