Researchers have uncovered a novel form of malware that incorporates a slew of detection-dodging techniques targeting government departments in the Middle East and Central Asia.
Security firm FireEye reported uncovering the new malware in a blog post, warning that it has several advanced capabilities.
"We have found another spear phishing document that downloads malware which incorporates improved mouse click detection anti-sandboxing capability," wrote FireEye's Chong Rong Hwa.
"It also leverages multiple advanced evasion techniques to achieve stealth and persistent infection."
The malware is particularly dangerous as its mouse click tracking feature allows it to intelligently monitor users behaviour and adjust its movements to avoid detection.
The mouse clicking is designed to help the malware avoid sandbox defences. It does this by checking if there is any mouse activity letting hackers know if the environment is a virtual one like an antivirus sandbox before fully activating.
“It appears to count three clicks of the mouse before executing, as this way it looks like a human is running the software. Though we've seen this in the past, the extent to which it relies on mouse clicking is unprecedented,” Rong Hwa told V3.
FireEye reported that the malware features several other capabilities including the ability to callback to a legitimate URL and advanced anti-forensic capabilities.
"Often when malware performs its callback, the communication goes directly to the CnC server. In this case, the callback goes to a legitimate URL shortening service, which would then redirect the communication to the CnC server. Automated blocking technologies are likely to block only the URL shortening service and not the CnC server," explained Hwa.
"Unlike predecessors that are very obvious and immediately get to work, this malware is merely a husk and its true malicious intent could only be found in the downloaded code. This prevents forensic investigators from extracting the 'true' malicious code from the disk."
The malware is reportedly designed to send information about the infected computer to the malware's authors and set up a backdoor for remote access, granting the hacker the ability to mount further attackers.
FireEye reported that the file name of the malware indicates it is intended for use against government groups and agencies.
"The name of malicious document is translated to be ‘Islamic Jihad.doc'. Hence, we suspect that this weaponised document was used to target the governments of Middle East and Central Asia," wrote Hwa.
The malware is one of many to be uncovered operating in the Middle East and is the second attack able to track users mouse clicks detected by FireEye.
The first was originally detected by FireEye senior malware researcher Abhishek Singh in December 2012.
Other high profile attacks targeting the region include the infamous Flame malware, which was caught targeting the Iranian government midway through 2012.
14nm Cavium ThunderX2 CPUs deployed in HPE Apollo 70 supercomputer for US National Nuclear Security Administration
MWR's Countercept platform and phishd technologies key to F-Secure acquisition
Brexit labour shortages will lead to higher adoption of robotics
Newbies will be thrown in with the big boys on Sanhok as Kar98 fodder