The idea that hackers are constantly evolving their tactics has been proven once again, after a new strain of malware users was discovered to be using trigonometry to avoid detection.
Cybersecurity researchers Outpost24 recently analyzed the latest version of Lumma Stealer, a known information-stealing malware capable of recovering passwords stored in popular browsers, cookies, credit card information and data related to cryptocurrency wallets. Lumma is offered as a service, with a subscription fee ranging from $250 to $1,000.
In their analysis, Outpost24 researchers found that the fourth version of Lumma comes with a number of new evasion techniques, allowing it to work alongside most antivirus or endpoint protection services. These techniques include control flow flattening obfuscation, human-mouse activity detection, XOR encrypted strings, support for dynamic configuration files, and enforcing the use of encryption on all versions.
Use mouse movement
Among these techniques, detecting human-mouse activity is the most interesting, because this is how the information thief can see if it is working in an antivirus sandbox. As the researchers explain, the malware tracks the position of the cursor and records a series of five distinct positions at 50 millisecond intervals. Then, using trigonometry, it analyzes these positions as Euclidean vectors, calculating the angles and vector quantities that form the detected motion.
Vector angles less than 45 degrees mean the mouse is being used by a human. If the angles are higher, the infostealer assumes it is running in a sandbox and stops all activity. It resumes operations once it determines that the mouse activity is human again.
The 45-degree threshold is arbitrary, the researchers added, suggesting it is likely based on research data.
Infostealers are a popular hacking tool because they allow bad actors to access important services, such as social media accounts or email accounts. Additionally, by stealing banking data or cryptocurrency wallet-related data, attackers can steal victims’ funds and crypto tokens.