This malware uses trigonometry to stop it from being detected and blocked

News
By Sead Fadilpašić
published

Hackers have found an ingenious mathematical method to spot an antivirus sandbox

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

The notion that hackers are constantly evolving their tactics has once again been proven, after a new strain of malware user was found to be using trigonometry to avoid detection.

Cybersecurity researchers Outpost24 recently analyzed the latest version of Lumma Stealer, a known infostealer malware capable of grabbing passwords stored in popular browsers, cookies, credit card information, and data related to cryptocurrency wallets. Lumma is offered as a service, for a subscription fee ranging between $250 and $1,000.

In its analysis, Outpost24’s researchers found that Lumma’s fourth version comes with a number of new evasion techniques, allowing it to operate next to most antivirus or endpoint protection services. These techniques include control flow flattening obfuscation, human-mouse activity detection, XOR encrypted strings, support for dynamic configuration files, and enforcement of crypto use on all builds.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Using mouse movement

Of these techniques, the detection of human-mouse activity is the most interesting one, as that’s how the infostealer can see if it’s running in an antivirus sandbox. As the researchers explain, the malware tracks the cursor’s position and records a series of five distinct positions in intervals of 50 milliseconds. Then, using trigonometry, it analyzes these positions as Euclidean vectors, calculating the angles and vector magnitudes that form the detected movement.

Vector angles below 45 degrees mean the mouse is being operated by a human. If the angles are higher, the infostealer assumes it’s being run in a sandbox and stops all activity. It resumes operations once it determines mouse activity as human again. 

The threshold of 45 degrees is arbitrary, the researchers further stated, suggesting that it’s probably based on research data. 

Infostealers are a popular hacking tool, as they allow threat actors to gain access to important services, such as social media accounts or email accounts. Furthermore, by stealing banking data or cryptocurrency wallet-related data, the attackers can steal victim funds and crypto tokens.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.