This malware uses trigonometry to stop it from being detected and blocked

Hackers have found an ingenious mathematical method to spot an antivirus sandbox

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The notion that hackers are constantly evolving their tactics has once again been proven, after a new strain ofmalwareuser was found to be using trigonometry to avoid detection.

Cybersecurity researchers Outpost24 recently analyzed the latest version of Lumma Stealer, a known infostealer malware capable of grabbing passwords stored in popularbrowsers, cookies, credit card information, and data related to cryptocurrency wallets. Lumma is offered as a service, for a subscription fee ranging between $250 and $1,000.

In its analysis, Outpost24’s researchers found that Lumma’s fourth version comes with a number of new evasion techniques, allowing it to operate next to most antivirus or endpoint protection services. These techniques include control flow flattening obfuscation, human-mouse activity detection, XOR encrypted strings, support for dynamic configuration files, and enforcement of crypto use on all builds.

Reader Offer: $50 Amazon gift card with demoPerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

Using mouse movement

Of these techniques, the detection of human-mouse activity is the most interesting one, as that’s how the infostealer can see if it’s running in an antivirus sandbox. As the researchers explain, the malware tracks the cursor’s position and records a series of five distinct positions in intervals of 50 milliseconds. Then, using trigonometry, it analyzes these positions as Euclidean vectors, calculating the angles and vector magnitudes that form the detected movement.

Vector angles below 45 degrees mean the mouse is being operated by a human. If the angles are higher, the infostealer assumes it’s being run in a sandbox and stops all activity. It resumes operations once it determines mouse activity as human again.

The threshold of 45 degrees is arbitrary, the researchers further stated, suggesting that it’s probably based on research data.

Infostealers are a popular hacking tool, as they allow threat actors to gain access to important services, such as social media accounts or email accounts. Furthermore, by stealing banking data or cryptocurrency wallet-related data, the attackers can steal victim funds and crypto tokens.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

Black Friday is here: Sony XM5 over-ears drop to their lowest-seen price – act fast!