{"id":1648,"date":"2013-04-08T10:34:03","date_gmt":"2013-04-08T14:34:03","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=1648"},"modified":"2013-04-08T10:34:03","modified_gmt":"2013-04-08T14:34:03","slug":"sneaky-malware-hides-behind-mouse-movement-experts-say","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/04\/08\/sneaky-malware-hides-behind-mouse-movement-experts-say\/","title":{"rendered":"Sneaky malware hides behind mouse movement, experts say"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Researchers from security vendor FireEye have uncovered a new advanced persistent threat (APT) that uses multiple detection evasion techniques, including the monitoring of mouse clicks, to determine active human interaction with the infected computer.
\nCalled Trojan.APT.BaneChant, the malware is distributed via a Word document rigged with an exploit sent during targeted email attacks. The name of the document translates to “Islamic Jihad.doc.”
\n“We suspect that this weaponized document was used to target the governments of Middle East and Central Asia,” FireEye researcher Chong Rong Hwa said Monday in a blog post.
\nMultistage attack
\nThe attack works in multiple stages. The malicious document downloads and executes a component that attempts to determine if the operating environment is a virtualized one, like an antivirus sandbox or an automated malware analysis system, by waiting to see if there’s any mouse activity before initiating the second attack stage.
\nMouse click monitoring is not a new detection evasion technique, but malware using it in the past generally checked for a single mouse click, Rong Hwa said. BaneChant waits for at least three mouse clicks before proceeding to decrypt a URL and download a backdoor program that masquerades as a .JPG image file, he said.
\nThe malware also employs other detection evasion methods. For example, during the first stage of the attack, the malicious document downloads the dropper component from an ow.ly URL. Ow.ly is not a malicious domain, but is a URL shortening service.
\nThe rationale behind using this service is to bypass URL blacklisting services active on the targeted computer or its network, Rong Hwa said. (See also “Spammers abuse .gov URL shortener service in work-at-home scams.”<\/p>\n

\"\"<\/a><\/p>\n

Similarly, during the second stage of the attack, the malicious .JPG file is downloaded from a URL generated with the No-IP dynamic Domain Name System (DNS) service.
\nAfter being loaded by the first component, the .JPG file drops a copy of itself called GoogleUpdate.exe in the “C:\\ProgramData\\Google2\\” folder. It also creates a link to the file in the user’s start-up folder in order to ensure its execution after every computer reboot.
\nThis is an attempt to trick users into believing that the file is part of the Google update service, a legitimate program that’s normally installed under “C:\\Program Files\\Google\\Update\\”, Rong Hwa said.
\nThe backdoor program gathers and uploads system information back to a command-and-control server. It also supports several commands including one to download and execute additional files on the infected computers.
\nAs defense technologies advance, malware also evolves, Rong Hwa said. In this instance, the malware has used a number of tricks, including evading sandbox analysis by detecting human behavior, evading network-level binary extraction technology by performing multibyte XOR encryption of executable files, masquerading as a legitimate process, evading forensic analysis by using fileless malicious code loaded directly into the memory and preventing automated domain blacklisting by using redirection via URL shortening and dynamic DNS services, he said.
\nvia Sneaky malware hides behind mouse movement, experts say | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Researchers from security vendor FireEye have uncovered a new advanced persistent threat (APT) that uses multiple detection evasion techniques, including […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9,10],"tags":[655,1104,1242],"class_list":["post-1648","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-technology","tag-malware","tag-trojan","tag-word-document"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-qA","jetpack-related-posts":[{"id":7586,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/06\/sneaky-linux-malware-comes-with-sophisticated-custom-built-rootkit\/","url_meta":{"origin":1648,"position":0},"title":"Sneaky Linux malware comes with sophisticated custom-built rootkit","author":"NCCT","date":"February 6, 2015","format":false,"excerpt":"A malware program designed for Linux systems, including embedded devices with ARM architecture, uses a sophisticated kernel rootkit that\u2019s custom built for each infection. The malware, known as XOR.DDoS, was first spotted in September by security research outfit Malware Must Die. However, it has since evolved and new versions were\u2026","rel":"","context":"In "Linux"","block_context":{"text":"Linux","link":"https:\/\/nccomputertech.com\/techtalk\/category\/linux\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6833,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/11\/12\/ios-security-hole-allows-attackers-to-poison-already-installed-iphone-apps\/","url_meta":{"origin":1648,"position":1},"title":"iOS security hole allows attackers to poison already installed iPhone apps","author":"NCCT","date":"November 12, 2014","format":false,"excerpt":"Security researchers have warned of a security hole in Apple's iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data. The \"Masque\" attack, as described by researchers from security firm FireEye, relies on enterprise provisioning\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":8751,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/11\/16\/state-sponsored-cyberspies-inject-victim-profiling-and-tracking-scripts-in-strategic-websites\/","url_meta":{"origin":1648,"position":2},"title":"State-sponsored cyberspies inject victim profiling and tracking scripts in strategic websites","author":"NCCT","date":"November 16, 2015","format":false,"excerpt":"By Lucian Constantin | PCWorld Web analytics and tracking cookies play a vital role in online advertising, but they can also help attackers discover potential targets and their weaknesses, a new report shows. Security researchers from FireEye have discovered an attack campaign that has injected computer profiling and tracking scripts\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6309,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/26\/android-attack-improves-timing-allows-data-theft\/","url_meta":{"origin":1648,"position":3},"title":"Android attack improves timing, allows data theft","author":"NCCT","date":"August 26, 2014","format":false,"excerpt":"A malicious application could enable the theft of login credentials, sensitive images, and other data from Android smartphones by making use of a newly discovered information-leakage weakness in the operating system, according to a team of researchers from the University of Michigan and the University of California at Riverside. The\u2026","rel":"","context":"In "Hardware"","block_context":{"text":"Hardware","link":"https:\/\/nccomputertech.com\/techtalk\/category\/hardware\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8465,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/07\/13\/hacking-teams-arsenal-included-at-least-three-unpatched-exploits-for-flash-player\/","url_meta":{"origin":1648,"position":4},"title":"Hacking Team’s arsenal included at least three unpatched exploits for Flash Player","author":"NCCT","date":"July 13, 2015","format":false,"excerpt":"Recently breached surveillance software maker, Hacking Team, had access to three different exploits for previously unknown vulnerabilities in Flash Player. All of them are now out in the open, putting Internet users at risk. Milan-based Hacking Team develops and sells surveillance software to government agencies from around the world. On\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7685,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/27\/hackers-impersonating-it-staff-popular-tactic-in-data-breaches-fireeye-finds\/","url_meta":{"origin":1648,"position":5},"title":"Hackers impersonating IT staff popular tactic in data breaches, FireEye finds","author":"NCCT","date":"February 27, 2015","format":false,"excerpt":"Fresh FireEye research suggests that today's cyberattackers are becoming smarter about the systems they seek to break, and are commonly using impersonation and social engineering to tap into the most common weakness in the security chain -- employees. Within FireEye's sixth annual M-trends report, which tracks the threat landscape and\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=1648"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1648\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=1648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=1648"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=1648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}