Skip to main content

Trojan Upclicker malware infecting PCs via mouse input

Windows PC owners be warned — there's a new strain of malware out there that befuddles users into helping it accomplish its dirty deeds via mouse clicks.

Dubbed "Trojan Upclicker" by the FireEye Malware Intelligence Lab researchers who identified it, this elusive bit of malicious code is purpose-built to evade identification by the automated analysis systems used by many anti-virus vendors.

FireEye researchers Abhishek Singh and Yasir Khalid noted that Trojan Upclicker is a variant of malware using a newly recognised technique highlighted recently by Symantec.

Once installed on a PC, Trojan Upclicker works by hooking its functionality to a computer mouse. Basically, the code only executes when the mouse's left button is clicked and released, at which point it opens Internet Explorer and injects its payload of nastiness.

What's clever about this approach is that the sandbox environments used by researchers to analyse malware don't incorporate mouse inputs, so Trojan Upclicker and similarly designed viruses remain dormant and undetected in those automated analysis systems.

Singh and Khalid get pretty detailed in a blog post on Trojan Upclicker, explaining how it uses the '0Eh' parameter and function 'SetWinodwsHookExA' to hook a mouse and monitor mouse movements. The aforementioned click and release of the left button triggers the function 'UnhookWindowsHookEx' to "unhook the malicious code from the mouse, after which the code makes a call to the function sub_401170(), which then executes the malicious code," according to the duo.

In Internet Explorer, Trojan Upclicker generates a DNS query/reply for the domain '', establishing a malicious communication channel through destination ports 80 and 443, the pair said.

The two FireEye researchers guessed that more malware like Trojan Upclicker would emerge.

"From the analysis it is concluded that the Trojan Upclicker establishes malicious communication only when the left mouse button is clicked and released. Since, in sandboxes, there is no mouse interaction, the malicious behaviour of Upclicker remains dormant in a sandbox environment," Singh and Khalid wrote.

"In order to process enormous amounts of samples, automated sandbox analysis is commonly being used by the anti-virus industry. To evade automated analysis, we expect to see more such samples that can use a specific aspect like pressing specific keys, specific mouse buttons, or movement of the mouse a certain distance to evade the automated analysis," they added.

The arrival of Trojan Upclicker on the malware scene follows a similarly malicious bit of covert code, dubbed FakeLookout, which affected Google's Play store earlier in the year.