Researchers at FireEye are warning of a new strain of malware, "Trojan Upclicker," which evades anti-virus and automated analysis systems by “hooking” itself to the mouse, lurking there undetected and dormant until a user comes along to left-click and deploy its payload.
The technique was first identified by Symantec, with Trojan Upclicker being its weaponized form using the mouse specifically.
“SetWindowsHookExA() API installs the _main_routine to monitor messages from the mouse,” explained FireEye researchers Abhishek Singh and Yasir Khalid. “When the malware receives messages from the mouse—that is, if the mouse is moved or buttons are clicked—the main subroutine executes.” Once the left mouse button is clicked and released, Trojan Upclicker opens Explorer for code injection.
Because anti-virus systems and large-scale “sandbox”-style automated research and malware analysis tools don’t evaluate mouse interactions, hiding there is a convenient way for the malicious code to avoid identification—until it’s too late.
The malware creates a backdoor in any Windows computer system through which to usher in other bugs.
This particular strain is only triggered with a left click, but it’s unlikely to stay that way. “In order to process enormous amounts of samples, automated sandbox analysis is commonly being used by the anti-virus industry,” the FireEye researchers noted. “To evade automated analysis, we expect to see more such samples that can use a specific aspect like pressing specific keys, specific mouse buttons or movement of the mouse a certain distance to evade the automated analysis.”