There is now a Trojan that relies on a mouse hooking function to evade sandbox environments.
Attackers understand automated analysis systems don’t use the mouse, so they developed their Trojan so they come into play only when the system detects mouse movement.
Upclicker’s malicious code executes only after the user clicks the left mouse button and releases it, said researchers at security firm FireEye.
Upclicker establishes malicious communication only when the user performs this particular action.
A couple of months ago, experts from Symantec identified a similar Trojan which relied on mouse actions to determine whether or not it was being monitored by security experts.