Upclicker Trojan Evades Sandbox Detection by Hiding in a Mouse Click

by Michael Mimoso

Finding keen new ways to avoid detection by security systems, malware scanners in particular, seems to be a primary objective for malware writers.

Researchers at FireEye have found one of the most ingenious, a Trojan called Upclicker that eludes automated sandbox detection by hooking into a mouse click.

Upclicker is a backdoor that only comes to life after a user clicks and releases the left mouse button, FireEye researchers Abhishek Singh and Yasir Khalid wrote.

“Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment,” they said.

Sandboxes are isolated environments where suspicious code is executed out of harm’s way. If it’s malicious, the code is blocked, otherwise, the process proceeds. Antimalware software is deploying sandboxing technology more and more as part of their core offerings. Some largely deployed applications such as Adobe Reader and Flash, as well as Java, also have sandbox capabilities.

“To evade automated analysis, we expect to see more such samples that can use a specific aspect like pressing specific keys, specific mouse buttons, or movement of the mouse a certain distance to evade the automated analysis,” the researchers said.

More malware is appearing with built-in evasion techniques. Encryption packers are longstanding tactic used by attackers to increase the viability of malicious code. Conficker, for example, was able to detect if it was opened in a virtual machine, which would indicate it was opened in a test and not a production environment, and would not execute.

more on link

https://threatpost.com/en_us/blogs/upclicker-trojan-evades-sandbox-detection-hiding-mouse-click-121412