BaneChantMuch like malware that was discovered last year, a new Trojan has been reported that relies on detecting mouse clicks to evade sandbox analysis. BaneChant masquerades as a Word document and incorporates advanced evasion techniques making it stealthier than its predecessor.

Researchers at FireEye spotted the malware in a malicious document that translates to “Islamic Jihad.doc,” a title that suggests the malware is targeting governments via spear phishing attacks in the Middle East and Central Asia, according to a post on the company’s blog by Chong Rong Hwa yesterday.

The malware, discovered by FireEye’s Abhishek Singh, can send information about the infected computer to attackers and can also set up backdoors to allow remote access that could let an attacker further execute malicious activities.

Once victims open the document, the malware downloads a binary and leverages a shortened URL to disguise what it’s doing from malware detection services. Instead of communicating directly with a command and control server, this Trojan communicates with the URL shortening service,, which then contacts the C+C server.

Unlike most types of malware, the “Islamic Jihad.doc” document is more “husk”-like: There’s not much to it as it is, instead it relies on the internet to download its malicious code. Once the malware’s payload winword.pkg is downloaded, it only takes three left clicks to get the second payload, the malicious one, to download.

The actual payload, after it’s decoded, begins with the Tag, “BaneChant,” taking its name from the chant uttered by followers of Batman’s antagonist Bane in “The Dark Knight Rises” film.

The Upclicker Trojan, discovered by Singh in December, also relied on user clicks as a trigger. After a user clicked and released the left mouse button once, the Trojan would spring to life.

“Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment,” they said at the time.

Dana Tamir, Director of Product Marketing at Trusteer, sees the BaneChant malware as another instance of targeted attacks using vulnerable endpoint applications for their exploits.

“This is another example of a targeted attack that exploits the biggest enterprise weakness – vulnerable endpoint applications. The attack exploits vulnerabilities to introduce malware, which then enables the attack progression,” Tamir said Tuesday.

FireEye has a much more in depth analysis of the BaneChant malware, its shellcode and its payload, on its blog.

Categories: Malware

Comments (3)

  1. CharaLeigh

    Hi, how do I find and get rid of this if I suspect this problem on one computer and protect the other comperter that I think may yet be clean?  The problems I have to do a lot of research for class and down load .pdf files and word docs from the internet.  The one computer has suddenly started to malfunction to the point that I now have to switch to the other computer requiring the transfer of my words files and .pdfs!  The only alerts that I recieved prior were the yellow banner alerets. I noticed that this was happening when I was not on line!

  2. Anonymous

    I doubt this is true:

    “Instead of communicating directly with a command and control server, this Trojan communicates with the URL shortening service,, which then contacts the C+C server.”

    The URL-shortener doesn’t communicate with the C&C-server but just returns the true URL and then the trojan still has to communicate on his own. Otherwise an URL-shortener would work as a proxy with tons of traffic going through it.

Comments are closed.