Sneaky malware hides behind mouse movement, experts say - meachamdiesse

Researchers from security vendor FireEye have exposed a new advanced unforgettable threat (APT) that uses multiple catching evasion techniques, including the monitoring of black eye clicks, to determine active humanlike interaction with the pestiferous computer.

Called Trojan.Intelligent.BaneChant, the malware is distributed via a Word document rigged with an exploit dispatched during targeted electronic mail attacks. The name of the document translates to "Islamic Jihad.doc."

"We suspect that this weaponized document was used to target the governments of Mideast and Central Asia," FireEye researcher Chong Rong Hwa said Monday in a blog post.

Multistage attack

The attack works in bigeminal stages. The malevolent document downloads and executes a component that attempts to watch if the operating environs is a virtualized one, comparable an antivirus sandbox operating theater an automated malware analysis system, away ready to see if there's any mouse activity before initiating the second attack poin.

Click monitoring is not a new detection evasion technique, but malware using it in the past generally restrained for a single click, Rong Hwa said. BaneChant waits for at the least three mouse clicks in front proceedings to decode a URL and download a backdoor plan that masquerades as a .JPG effigy file, He said.

The malware also employs early spying nonpayment methods. For example, during the initiatory leg of the attack, the malicious papers downloads the dropper component from an ow.ly URL. Ow.ly is not a malicious realm, but is a URL shortening religious service.

The rationale behind exploitation this table service is to bypass URL blacklisting services involved along the targeted computing device or its meshwork, Rong Hwa said. (See also "Spammers abuse .gov URL shortener service in piece of work-at-home scams."

Similarly, during the second stage of the approach, the malicious .JPG file out is downloaded from a URL generated with the Atomic number 102-IP dynamic Domain Epithet System (DNS) service of process.

Subsequently being moneyed by the firstborn component, the .JPG file cabinet drops a copy of itself called GoogleUpdate.exe in the "C:ProgramDataGoogle2" folder. It also creates a link to the file in the user's start up-upward folder in order to ensure its execution after every electronic computer boot.

This is an attempt to trick users into believing that the file is part of the Google update service, a legitimate program that's normally installed under "C:Plan FilesGoogleUpdate", Rong Hwa said.

The backdoor program gathers and uploads system information back to a command-and-control server. It also supports several commands including one to download and execute additional files on the infected computers.

As defense technologies advance, malware besides evolves, Rong Hwa said. In that case, the malware has used a add up of tricks, including evading sandbox analysis away detective work earthborn behavior, evading network-level double star origin technology by performing multibyte XOR encryption of executable files, masquerading as a authorised process, evading rhetorical depth psychology by exploitation fileless catty codification loaded directly into the computer storage and preventing machine-controlled land blacklisting aside using redirection via URL shortening and can-do DNS services, he aforementioned.