Security researchers have discovered a Trojan that attaches its malicious code to routines normally used only to control the inputs from mouse clicks.
The tactic is designed to smuggle malicious code past automated threat analysis systems. During such procedures there's no user input and certainly no mouse moving and clicking. The malicious code is designed to remain inactive unless the mouse itself is in use, giving a fair chance that the RAT (remote access Trojan) will remain undetected.
The growing volume of malware means automated threat analysis systems are increasingly important. Only the more unusual analysis work gets passed on to human analysts. Even if the mouse-attached RAT gets caught out at this stage it still gains extra longevity. The development means that anti-virus firms will probably need to include a virtual mouse clicker and nudger in their automated analysis routines.
The sneaky mouse-hogging malware was detected by security researchers at Symantec. The security giant has also come across strains of malware that use "sleep mode" to evade dynamic analysis systems.
A detailed write-up of both (unnamed) threats can be found in a blog post
Here