BaneChant trojan hides behind multiple mouse clicks

Only if the number of left clicks is three or more will this malware proceed further to download a second stage payload – the true malicious code
Only if the number of left clicks is three or more will this malware proceed further to download a second stage payload – the true malicious code

It also has authors who are fans of Batman. FireEye researchers dubbed the malware “BaneChant” after a piece of code tagged with the term, which refers to the soundtrack of Batman: the Dark Knight Rises.

Last December, FireEye discovered a new strain of malware, "Trojan Upclicker," which evades anti-virus and automated analysis systems by “hooking” itself to the mouse, lurking there undetected and dormant until a user comes along to left-click and deploy its payload. Now, the firm has uncovered a similar ability in BaneChant, but in this case it requires three left-clicks to activate the bug.

Only if the number of left clicks is three or more will the malware proceed further to download a second stage payload – the true malicious code. And that makes it much harder to detect. “It detects multiple mouse clicks,” wrote FireEye researcher Chong Rong Hwa, in a blog post. “In the past, evasion methods using mouse clicks only detected a single click, making the malware fairly easy to overcome.”

Overall, BaneChant does what most trojans do: it collects information about the computer and sets up a backdoor for remote access. This backdoor provides the attacker the flexibility on how malicious activities could be executed. However, it does it with a comprehensive set of hide-and-seek capabilities.

“It…leverages multiple advanced evasion techniques to achieve stealth and persistent infection,” said Chong. He added, “As defense technologies advance, malware also evolves. In this instance, we could see that the malware has performed a number of tricks to defeat detection.”

To wit: It attempts to evade sandboxes by detecting human behavior such as multiple mouse clicks; evades network binary extraction technology by performing multi-byte XOR encryption on executable files; social engineers the user into thinking that the malware is legitimate; avoids forensic and incidence response by using fileless malicious codes; and prevents automated domain blacklisting by using redirection via URL shortening and Dynamic DNS services.

The attack starts with a spear phishing mail containing a malicious document. It’s named “Islamic Jihad,” leading FireEye to assume the weaponized document was used to target Middle Eastern and Central Asian victims.

Once deployed, the callback goes to a legitimate URL rather than directly to the Command & Control service. “In this case, the callback goes to a legitimate URL shortening service, which would then redirect the communication to the CnC server,” Chong noted. “Automated blocking technologies are likely to block only the URL shortening service and not the CnC server.”

On the forensic front, it’s worth noting that the malware doesn’t kick into high gear immediately. Instead, it requires an internet connection for malicious code to be downloaded to the memory and executed. “Unlike predecessors that are very obvious and immediately get to work, this malware is merely a husk and its true malicious intent could only be found in the downloaded code,” Chong explained. “This prevents forensic investigators from extracting the ‘true’ malicious code from the disk.”

All in all, BaneChant shows that malware authors are getting sneakier. “By designing the malware this way, it makes it harder to perform incidence response and facilitates ease of update of malicious code,” Chong said.

What’s Hot on Infosecurity Magazine?