The notion that hackers are constantly evolving their tactics has once again been proven, after a new strain of malware user was found to be using trigonometry to avoid detection.

Cybersecurity researchers Outpost24 recently analyzed the latest version of Lumma Stealer, a known infostealer malware capable of grabbing passwords stored in popular browsers, cookies, credit card information, and data related to cryptocurrency wallets. Lumma is offered as a service, for a subscription fee ranging between $250 and $1,000.

In its analysis, Outpost24’s researchers found that Lumma’s fourth version comes with a number of new evasion techniques, allowing it to operate next to most antivirus or endpoint protection services. These techniques include control flow flattening obfuscation, human-mouse activity detection, XOR encrypted strings, support for dynamic configuration files, and enforcement of crypto use on all builds.


Using mouse movement

Of these techniques, the detection of human-mouse activity is the most interesting one, as that’s how the infostealer can see if it’s running in an antivirus sandbox. As the researchers explain, the malware tracks the cursor’s position and records a series of five distinct positions in intervals of 50 milliseconds. Then, using trigonometry, it analyzes these positions as Euclidean vectors, calculating the angles and vector magnitudes that form the detected movement.

Vector angles below 45 degrees mean the mouse is being operated by a human. If the angles are higher, the infostealer assumes it’s being run in a sandbox and stops all activity. It resumes operations once it determines mouse activity as human again. 

The threshold of 45 degrees is arbitrary, the researchers further stated, suggesting that it’s probably based on research data. 

Infostealers are a popular hacking tool, as they allow threat actors to gain access to important services, such as social media accounts or email accounts. Furthermore, by stealing banking data or cryptocurrency wallet-related data, the attackers can steal victim funds and crypto tokens.

Via BleepingComputer

More from TechRadar Pro

Services MarketplaceListings, Bookings & Reviews

Entertainment blogs & Forums