Pages

Sunday, January 28, 2018

How does the Ursnif Trojan variant exploit mouse movements?

As security researchers and vendors improve the security within their products, malicious actors are continually looking for ways to bypass them and continue their efforts. This cat and mouse game continues to play out, and is best seen in how malware authors are continually developing creative ways to create new attacks or workarounds. Many times, these techniques are very creative and, with a new variant of the Ursnif Trojan, we saw attackers use mouse movements to decrypt and evade sandbox detection.

Sandboxes are used to validate that downloaded files from the internet are safe to run on the endpoint. They're sent to the sandbox and executed on a virtual machine to determine their intended purpose. Since this can detect malware, attackers are continually looking for ways to bypass this security layer.

There have been multiple methods used in the past to detect sandboxes, such as searching for VMware registry keys, virtual adapters, low CPU and RAM, and doing nothing for hours to determine if a file is on a VM.

In this case, the malware would sit idle. This is also a way to avoid sandboxes, since the scans don't last hours, and users don't perform the malicious actions if they are tipped off to these variables. This would allow the files to enter your network where, like a Trojan horse, they'd wreak havoc.

The Ursnif Trojan's spin on sandbox detection is to use the previous and current mouse point locations to validate that it's not sitting in a sandbox. The technique, discovered by Forcepoint Security Labs, looks for the delta between these pointer locations and uses these variables to create a base seed that can assist with decryption.

The Ursnif Trojan goes through the base seeds to decipher the key, and once it matches the proper checksum, which can essentially take a brute force-like combination to achieve, the malware executes the remainder of the code. It does this because the D-value of the mouse movement is always zero, and it will never be able to decipher the proper decoded code at this starting point. Since this is the case, it will never execute within a sandboxed environment.

Read the rest of my article here: http://searchsecurity.techtarget.com/answer/How-does-the-Ursnif-Trojan-variant-exploit-mouse-movements
Posted by at

9 comments:

  1. anonymousApril 17, 2018 at 3:08 AM

    Internet security is much more important step that everyone should to taken but as I read the stuff which I get some best points about trojan antivirus and thepensters always share wonderful info. Keep it up!

    ReplyDelete
    Replies
    1. SankarAugust 1, 2020 at 3:20 PM

      Great Article
      Cyber Security Projects

      projects for cse

      Networking Security Projects

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. Virus Removal GuidelinesNovember 26, 2018 at 5:25 AM

    That’s a great article. Happy to see a torch bearer against malware. Welcome to the group! You can get further information on all such topics on our page Virus Removal Guidelines News Update. Please go through the articles and help us spread the message to the world!

    ReplyDelete
  3. AnonymousNovember 30, 2018 at 1:33 AM

    I'm glad I found this blog. It really offers value and knowledge to the readers. Thanks for the insights you share. Please keep it up and more power to your writings. Lawrence Todd Maxwell

    ReplyDelete
  4. pettersonSeptember 20, 2019 at 1:22 AM

    Thanks a lot for sharing a piece of wonderful information which I am looking for a longer period of time. phd dissertation writing service

    ReplyDelete
  5. norhanNovember 18, 2019 at 6:14 PM



    مكافحة حشرات بالخبر مكافحة حشرات بالخبر
    مكافحة حشرات بمكة مكافحة حشرات بمكة
    مكافحة حشرات بالمدينة المنورة شركة مكافحة حشرات بالمدينة المنورة
    مكافحة حشرات بالدمام شركة مكافحة حشرات بالدمام

    ReplyDelete
  6. carisFebruary 18, 2020 at 1:14 AM

    https://www.vingle.net/posts/2770293
    https://otech.instructure.com/eportfolios/33165/Home/Why_200301_Questions_Pdf_2020_Is_Far_More_Crucial_Than_You_Consider
    https://arizonawet.arizona.edu/users/best-way-use-200-301-questions-pdf-2020-delight-your-200-301-career
    https://ilde.upf.edu/v/3ms6
    https://serc.carleton.edu/person/144069.html
    https://educacao.telessaude.ifes.edu.br/eportfolios/395/Pgina_inicial/How_to_pass_CISCO_200301_Exam_on_First_Try
    https://training.dwfacademy.com/eportfolios/88/Home/Want_to_Pass_CISCO_200301_Exam_in_1st_Attempt
    https://www.olaladirectory.com.au/200-301-dumps-prepare-and-pass-with-updated-cisco/

    ReplyDelete
  7. invincible01September 24, 2020 at 3:05 AM

    Amazing Article, Really useful information to all So, I hope you will share more information to be check and share here.


    Jupyter Notebook
    Jupyter Notebook Online
    Jupyter Notebook Install
    Automation Anywhere Tutorial
    Rpa automation anywhere tutorial pdf
    Automation anywhere Tutorial for beginners
    Kivy Python
    Kivy Tutorial
    Kivy for Python
    Kivy Installation on Windows

    ReplyDelete
  8. adityaFebruary 17, 2021 at 2:18 AM

    Good post thanks for share information.

    AppValley VIP APK
    Cami Elliott
    lola Iolani Momoa
    rolling paper alternatives
    Mp3boo
    free edu email

    ReplyDelete

Subscribe to: Post Comments (Atom)