May 6, 2013

How Many Clicks Does It Take? New Sophistication In Malware

Researchers at FireEye have discovered a new level of sophistication in malware to evade forensic analysis.  Based on new evidence from the Trojan.APT.BaneChant, the Trojan will not deploy until it detects multiple mouse clicks.  It is nothing new for a piece of malware to not activate until it detects a mouse click, but Trojan.APT.BaneChant  checks repeatedly for multiple clicks.

“This malware doesn’t kick into high gear immediately,” said Chong Rong Hwa, a researcher at FireEye.  It first must find an active internet connection for it to receive a stage 2 payload.  Unlike other pieces of malware that get right to work and begin exploited the machine, this one merely plants a foothold on the system and waits for the right opportunity to set up shop on the victim’s machine.  The second ingredient needed to execute the full payload requires multiple mouse clicks, which are not typically performed when forensic analysts run malware in a sandbox.  Because the real threat doesn’t come into the picture until it has been downloaded, forensic investigators are prevented from discovering the real malicious code until it has seen activity.

Good news for our clients and users in North America is that the Trojan.APT.BaneChant has been primarily targeting governments in the Middle East and Central Asia.  Massive Labs always recommends our clients be wary of any attachments that come via email from unknown and even trusted senders.  The Trojan.APT.BaneChant seems to be distributed via Microsoft Word document that is laced with the exploit.  The document is the RTF (Rich Text Format) format and exploits the CVE-2012-0158 Microsoft Office Vulnerability.  Always verify attachments with the sender before opening them to protect yourself and your data.

For more information please visit FireEye’s Blog.