Much like malware that was discovered last year, a new Trojan has been reported that relies on detecting mouse clicks to evade sandbox analysis. BaneChant masquerades as a Word document and incorporates advanced evasion techniques making it stealthier than its predecessor.
Researchers at FireEye spotted the malware in a malicious document that translates to “Islamic Jihad.doc,” a title that suggests the malware is targeting governments via spear phishing attacks in the Middle East and Central Asia, according to a post on the company’s blog by Chong Rong Hwa yesterday.
The malware, discovered by FireEye’s Abhishek Singh, can send information about the infected computer to attackers and can also set up backdoors to allow remote access that could let an attacker further execute malicious activities.
Once victims open the document, the malware downloads a binary and leverages a shortened URL to disguise what it’s doing from malware detection services. Instead of communicating directly with a command and control server, this Trojan communicates with the URL shortening service, ow.ly, which then contacts the C+C server.
Unlike most types of malware, the “Islamic Jihad.doc” document is more “husk”-like: There’s not much to it as it is, instead it relies on the internet to download its malicious code. Once the malware’s payload winword.pkg is downloaded, it only takes three left clicks to get the second payload, the malicious one, to download.
The actual payload, after it’s decoded, begins with the Tag, “BaneChant,” taking its name from the chant uttered by followers of Batman’s antagonist Bane in “The Dark Knight Rises” film.
The Upclicker Trojan, discovered by Singh in December, also relied on user clicks as a trigger. After a user clicked and released the left mouse button once, the Trojan would spring to life.
“Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment,” they said at the time.
Dana Tamir, Director of Product Marketing at Trusteer, sees the BaneChant malware as another instance of targeted attacks using vulnerable endpoint applications for their exploits.
“This is another example of a targeted attack that exploits the biggest enterprise weakness – vulnerable endpoint applications. The attack exploits vulnerabilities to introduce malware, which then enables the attack progression,” Tamir said Tuesday.
FireEye has a much more in depth analysis of the BaneChant malware, its shellcode and its payload, on its blog.