Sunday, January 28, 2018

How does the Ursnif Trojan variant exploit mouse movements?

As security researchers and vendors improve the security within their products, malicious actors are continually looking for ways to bypass them and continue their efforts. This cat and mouse game continues to play out, and is best seen in how malware authors are continually developing creative ways to create new attacks or workarounds. Many times, these techniques are very creative and, with a new variant of the Ursnif Trojan, we saw attackers use mouse movements to decrypt and evade sandbox detection.

Sandboxes are used to validate that downloaded files from the internet are safe to run on the endpoint. They're sent to the sandbox and executed on a virtual machine to determine their intended purpose. Since this can detect malware, attackers are continually looking for ways to bypass this security layer.

There have been multiple methods used in the past to detect sandboxes, such as searching for VMware registry keys, virtual adapters, low CPU and RAM, and doing nothing for hours to determine if a file is on a VM.

In this case, the malware would sit idle. This is also a way to avoid sandboxes, since the scans don't last hours, and users don't perform the malicious actions if they are tipped off to these variables. This would allow the files to enter your network where, like a Trojan horse, they'd wreak havoc.

The Ursnif Trojan's spin on sandbox detection is to use the previous and current mouse point locations to validate that it's not sitting in a sandbox. The technique, discovered by Forcepoint Security Labs, looks for the delta between these pointer locations and uses these variables to create a base seed that can assist with decryption.

The Ursnif Trojan goes through the base seeds to decipher the key, and once it matches the proper checksum, which can essentially take a brute force-like combination to achieve, the malware executes the remainder of the code. It does this because the D-value of the mouse movement is always zero, and it will never be able to decipher the proper decoded code at this starting point. Since this is the case, it will never execute within a sandboxed environment.

Read the rest of my article here:


  1. Internet security is much more important step that everyone should to taken but as I read the stuff which I get some best points about trojan antivirus and thepensters always share wonderful info. Keep it up!

    1. Great Article
      Cyber Security Projects

      projects for cse

      Networking Security Projects

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. That’s a great article. Happy to see a torch bearer against malware. Welcome to the group! You can get further information on all such topics on our page Virus Removal Guidelines News Update. Please go through the articles and help us spread the message to the world!

  3. I'm glad I found this blog. It really offers value and knowledge to the readers. Thanks for the insights you share. Please keep it up and more power to your writings. Lawrence Todd Maxwell

  4. Thanks a lot for sharing a piece of wonderful information which I am looking for a longer period of time. phd dissertation writing service


  5. مكافحة حشرات بالخبر مكافحة حشرات بالخبر
    مكافحة حشرات بمكة مكافحة حشرات بمكة
    مكافحة حشرات بالمدينة المنورة شركة مكافحة حشرات بالمدينة المنورة
    مكافحة حشرات بالدمام شركة مكافحة حشرات بالدمام