Advanced Malware Takes Unique Steps to Hide Itself

Dennis Faas's picture

Researchers have discovered a new type of malware that uses several advanced strategies to prevent you from detecting it. Those strategies include tracking user mouse usage and hiding malicious files.

The malware, which is being called Trojan.APT.BaneChant, was recently discovered by researchers at security firm FireEye. The malware reportedly spreads through an infected Microsoft Word document attached to emails.

So far, BaneChant has mostly been seen overseas. "We suspect that this weaponized document was used to target the governments of Middle East and Central Asia," noted FireEye researcher, Chong Rong Hwa. (Source:

Malware Built to Detect Human Behaviour

Here's how BaneChant works: once the malware has been downloaded and installed on a system, it attempts to figure out if the operating environment is a virtualized one.

A virtualized operating environment might include an antivirus sandbox or an automated malware analysis system. To see if this kind of system is being used, BaneChant checks for mouse activity.

The advantage of this system: by waiting to confirm that a human is using the system (it's more likely that a human will click multiple times), BaneChant reduces the chance that it will be detected and removed. (Source:

Hwa says this kind of tactic has been used before, but typically involved waiting for a single mouse click. BaneChant takes things a step further by checking for at least three mouse clicks before moving on to the second part of the attack stage.

Malware Hides URL, Malicious Image File

In addition to the mouse checking, BaneChant communicates by manipulating its URL so that the system cannot detect that a program is connecting to a blacklisted service for further instructions.

Finally, BaneChant uses a malicious .JPG image file called GoogleUpdate.exe in the "C:\ProgramData\Google2\" folder. A link to that file in the user's start-up folder ensures that the malware is executed every time the system is rebooted.

By using the name 'GoogleUpdate,' BaneChant further dupes users into thinking it's a harmless program.

Hwa says these tricks make BaneChant a very advanced form of malware designed to evade human detection.

He adds that, once installed, BaneChant communicates with a central command and control server. It then passes along critical system information to that server.

From there, BaneChant can also download and execute new files on the infected system.

Rate this article: 
No votes yet