Don't click! Sneaky new malware is activated by multiple mouse clicks

A new sneaky malware is on the loose, evading computer antivirus software by waiting for multiple mouse clicks before releasing its payload.

 

Security firm FireEye said Trojan.APT.BaneChant improved on a mouse-click-sensing malware released months earlier, and contains other advanced evasion features.

 

"(W)e have found another spear phishing document that downloads malware which incorporates improved mouse click detection anti-sandboxing capability. It also leverages multiple advanced evasion techniques to achieve stealth and persistent infection," researcher Chong Rong Hwa said in a blog post.

 

Chong said the malware hides behind the document “Islamic Jihad.doc,” suggesting the malware may target governments of Middle East and Central Asia.

 

Overall, Chong said this Trojan was observed to send information about the computer and set up a backdoor for remote access.

 

Also, Chong pointed out the new malware is "significant" as it detects multiple mouse clicks, compared to an earlier version that detects only a single click.

 

The malware also seeks to confuse those tracing the command-and-control server by using a legitimate URL-shortening service, FireEye said.

 

"Often when malware performs its callback, the communication goes directly to the CnC server. In this case, the callback goes to a legitimate URL shortening service, which would then redirect the communication to the CnC server. Automated blocking technologies are likely to block only the URL shortening service and not the CnC server," Chong said.

 

Worse, Chong said the new malware has anti-forensic capability, waiting for an Internet connection before it executes its malicious code.

 

"Unlike predecessors that are very obvious and immediately get to work, this malware is merely a husk and its true malicious intent could only be found in the downloaded code. This prevents forensic investigators from extracting the 'true' malicious code from the disk," Chong said.

 

A separate report on PC World said the malware first tries to see if it is in a virtualized environment, like an antivirus sandbox or an automated malware analysis system. — TJD, GMA News