In July 2017, security researchers have spotted a new version of the proficient Ursnif banking trojan that comes with a clever trick to avoid sandbox environments and automated virtual machines by using mouse movements to detect if a real user is interacting with the computer.
The general idea is to detect if the mouse cursor's position moves, something that does not happen in security testing and malware analysis environments, where the mouse cursor remains in the same position during the entire scanning and analysis operations.
We're used to these clever tricks from Ursnif. This banking trojan has been a breeding ground for new malware techniques.
For example, in the summer of 2016, Ursnif was one of the first banking trojans and malware families to consistently use the Tor network to hide its command and control (C&C) servers.
During the same summer, we've also seen Ursnif test and deploy other innovative anti-detection and VM-evasion techniques.
These are only some of the few tricks Ursniff deployed in the past year. Its most recent campaign, the one that used the mouse movement detection technique started in April this year.
Victims would receive a spam email carrying a password protected ZIP file. Users who decompressed the file would see three Word documents.
According to Forcepoint, the company that analyzed this most recent campaign in a report here, the documents contained the same malicious macro script. Crooks used three documents to improve their chances of users opening at least one and getting infected.
Allowing the macro to run would download a DLL file, which decompressed into another DLL file, and then into a third that would install the banking trojan.
The mouse movement motions weren't used only for detecting the presence of a real operator or a virtual machine, but they were also used to brute-force an encryption key stored in the second DLL, and used to obtain the third DLL. All in all, the usual clever techniques that we've become accustomed from the Ursnif gang.
The most unusual part was that this version of the Ursnif trojan focused on extracting contacts and passwords from the Mozilla Thunderbird email client, rather than focusing on stealing credentials for specific banks.
"The rationale behind the Thunderbird-related functionality in this sample is unclear," said Forcepoint researcher Yogi Gao. "This may be a first attempt at such activity, potentially meaning that more email clients or applications will be included in future releases."
UPDATE [July 27, 2017]: Research published by the Internet Initiative Japan in March reveals that versions of the Ursnif malware had used the mouse-cursor-based anti-detection technique even earlier than the samples detected by Forcepoint. On Monday, Cybereason also published details about an Ursnif campaign targeting Japan.