A new Trojan, BaneChant, masquerades as a Word document and incorporates advanced evasion techniques like detecting mouse clicks to evade sandbox analysis, which makes it more invisible.
The malware ended up found in a malicious document that translates to “Islamic Jihad.doc,” a title that suggests the malware is targeting governments via spear phishing attacks in the Middle East and Central Asia, said FireEye Researcher Chong Rong Hwa.
The malware, discovered by FireEye’s Abhishek Singh, can send information about the infected computer to attackers and can also set up backdoors to allow remote access that could let an attacker further execute malicious activities.
Once victims open the document, the malware downloads a binary and leverages a shortened URL to disguise what it is doing from malware detection services. Instead of communicating directly with a command and control server, this Trojan communicates with the URL shortening service, ow.ly, which then contacts the C+C server.
Unlike most types of malware, the “Islamic Jihad.doc” document is more “husk”-like: There’s not much to it as it is, instead it relies on the Internet to download its malicious code. Once the malware’s payload winword.pkg downloads, it only takes three left clicks to get the second payload, the malicious one, to download.
The actual payload, after decoding, begins with the Tag, “BaneChant,” taking its name from the chant uttered by followers of Batman’s antagonist Bane in “The Dark Knight Rises” film.
The Upclicker Trojan, discovered by Singh in December, also relied on user clicks as a trigger. After a user clicked and released the left mouse button once, the Trojan would spring to life.
“Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment,” they said at the time.
“This is another example of a targeted attack that exploits the biggest enterprise weakness – vulnerable endpoint applications. The attack exploits vulnerabilities to introduce malware, which then enables the attack progression,” said Dana Tamir, Director of Product Marketing at Trusteer.