The appropriately named trojan, Nap, further makes use of a long sleep in what FireEye said is a classic technique used to stay under the radar of an automated analysis system. It also uses the fast flux technique in order to hide the identity and location of the attacker controlling it.
Nap is a malicious downloader, using the payload to extract information from the infected systems. It performs its functions, then goes into a 10-minute timeout. Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior.
It also uses the fast flux technique to hide the location/identity of the attacker, FireEye reported. “In contrast to a typical fast flux setup where multiple IPs are returned in a DNS response, this one returns a single IP, which looks like another attempt to appear normal,” FireEye security researchers Abhishek Singh and Ali Islam explained in a blog. “When the domain is resolved multiple times (10 seconds apart), each time the domain's resolution resulted in a different IP. The IPs are most probably zombies acting as front-end flux agents giving cover to the actual bot-herder.”
In this, Nap performs similarly to the malware that infected the New York Times last week, they noted, in the first of a spate of media hacks.
The sleep technique is one of many that hackers employ to evade detection by automated security precautions. “In addition to extended sleep calls to evade automated analysis, we have observed many techniques, like hooking to a mouse, that are actively being employed by the advanced active malwares,” said FireEye researchers. “In the near future we expect to see malware employing automated analysis evasion techniques combined with network evasion techniques to evade detection.”