14 DAY TRIAL // Trojans that analyze mouse clicks in an effort to evade sandbox environments have become more and more common. Researchers from security firm FireEye have uncovered a new piece of malware that incorporates improved mouse click detection capabilities.
According to experts, the malware, Trojan.APT.BaneChant, is distributed with the aid of spear phishing emails that carry malicious documents whose name is translated as “Islamic Jihad.doc.”
The name of this document has led researchers to believe that the main targets of this campaign are government organizations from the Middle East and Central Asia.
The malware employs three notable evasion techniques.
First of all, it detects multiple mouse clicks, unlike other variants that detect only a single click. This makes it even more difficult to analyze.
Secondly, it communicates with its command and control server (C&C) via a legitimate URL shortening service. This protects the C&C against automated blocking technologies because they are more likely to block the URL shortening service, instead of the server.
Finally, unlike other pieces of malware that step into play as soon as they infect a machine, APT.BaneChant doesn’t kick into high gear immediately.
Instead, it downloads the malicious code from the Internet into the memory. This makes it more difficult for researchers to extract the malicious code from the disk.
It’s worth noting that the initial malware doesn’t appear to have any malicious purpose. Only when the second stage payload is downloaded and executed into the memory, its goal becomes clear.
“Overall, this malware was observed to send information about the computer and set up a backdoor for remote access. This backdoor provides the attacker the flexibility on how malicious activities could be executed,” FireEye’s Chong Rong Hwa noted.
The complete technical analysis of APT.BaneChant is available on FireEye’s blog.