Experts have identified a Trojan that relies on a mouse hooking function to evade sandbox environments.
Cybercriminals are aware of the fact that automated analysis systems don’t use the mouse, so they’ve developed their creations so that they step into play only when mouse movement is detected.
The Trojan analyzed by FireEye, Upclicker, is interesting because the malicious code is executed only after the user clicks the left mouse button and releases it.
Upclicker establishes malicious communication only when this particular action is performed.
A detailed technical analysis of this particular Trojan is described on FireEye’s blog.
A couple of months ago, experts from Symantec identified a similar Trojan
which relied on mouse actions to determine whether or not it was being monitored by security experts.