This malware uses trigonometry to stop it from being detected and blocked
The idea that hackers are constantly evolving their tactics has been proven again after a new breed of malware user was found to be using trigonometry to avoid detection.
Cybersecurity researchers Outpost24 recently analyzed the latest version of Lumma Stealer, a well-known infostealer malware that can obtain passwords stored in popular browsers, cookies, credit card information, and data related to cryptocurrency wallets. Lumma is offered as a service, for a subscription price ranging between $250 and $1,000.
In their analysis, Outpost24 researchers found that Lumma’s fourth version comes with a number of new evasion techniques, allowing it to work alongside most antivirus or endpoint security services. These techniques include control flow smoothing, human-mouse activity detection, XOR encoded strings, support for dynamic configuration files, and crypto usage enforcement on all builds.
Using mouse movements
Of these techniques, the detection of human-mouse activity is the most interesting, because it allows the infostealer to see whether it is running in an antivirus sandbox. As the researchers explain, the malware tracks the position of the cursor and records a series of five different positions at 50 millisecond intervals. Then, using trigonometry, it analyzes these positions as Euclidean vectors, calculating the angles and vector magnitudes that make up the detected motion.
Vector angles below 45 degrees mean the mouse is being operated by a human. If the angles are larger, the infostealer assumes it is running in a sandbox and stops all activity. It will resume operations once it determines the mouse activity to be human again.
The 45-degree threshold is arbitrary, the researchers said, suggesting it is likely based on survey data.
Infostealers are a popular hacking tool because they give threat actors access to important services, such as social media accounts or email accounts. Moreover, by stealing banking details or cryptocurrency wallet details, the attackers can steal victims’ money and crypto tokens.
Through BleepingComputer