Malware Uses Trigonometry to Track Mouse StrokesMalware Uses Trigonometry to Track Mouse Strokes
The latest LummaC2 infostealer version includes a novel anti-sandbox trick to avoid detonating when no human mouse movements are detected.
November 20, 2023
The latest version of the LummaC2 malware-as-a-service includes a new anti-sandbox maneuver — version 4.0 knows trigonometry and can use it to track mouse movements to detect when a human user is active on a compromised computer.
Sandboxing lets cybersecurity defenders run untrusted applications in an isolated environment, where its behavior can be tracked safely away from the rest of the network. By only deploying when a human is active, the LummaC2 infostealer avoids spilling its secrets to threat hunters in a sandbox, by only detonating when operating on a human-controlled computer, where it can actually gain a foothold in the network.
LummaC2 v4.0 continuously tracks and maps the placement of the machine's cursor at five distinct points, until the cursor positions differ widely enough to show human movement, a new report on the development from Outpost 24 explained.
"After checking that all five captured cursor positions meet the requirements, LummaC2 v4.0 usestrigonometryto detect 'human' behavior," the report said. "If it does not detect this human-like behavior, it will start the process all over again from the beginning."
LummaC2 4.0 is constantly being updated with new features, the report added, including recent improvements to its obfuscation techniques, as well as updates to its control panel.
These incremental upgrades being rolled out by malware developers is a good example of the endless game of "chicken" being played by cybercriminals and defenders, according to a statement from Andrew Barratt, vice president at Coalfire.
"Sandbox detection is a relatively common malware concept these days," Barratt said. "Sandbox-based analysts will now have to ensure they're emulating mouse activity based on actual patterns or that just follows the tracking requirements."
Although the trigonometry angle is interesting, Amelia Buck, a cybersecurity expert with Menlo Security, agrees the new mathed-up malware won't likely be a huge problem for security teams to protect against.
"The impact will be limited since the current method to counter anti-sandbox measures is likely to be effective against this technique as well," Buck said in a statement. "It's worth noting that the use of trigonometry in this technique adds an interesting element."
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Burnout Breach: How employee burnout is emerging as the next frontier in cybersecurity
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
2022 Insurance Industry Cyber Threat Landscape Report