Company cybersecurity experts Outpost 24 discovered an updated version of the LummaC2 4.0 virus, which uses trigonometric methods to track the position of the mouse cursor on the screen, thereby determining the user’s presence – this helps him to remain inactive the rest of the time and makes it difficult to learn in the sandbox.
Sandboxing allows cybersecurity professionals to restrict the operating environment of suspicious applications so that their activities can be monitored in isolation from the vulnerable environment. Designed for data theft, LummaC2 4.0 prevents it from falling into the sandbox because it only activates when a person is working on the computer.
The virus tracks the position of the mouse cursor at five key points, causing it to trigger only when the difference between its positions is large enough to indicate a living user – human actions are calculated using trigonometry. If it is not detected, the malware cycle begins again.
LummaC2 4.0 differs from previous versions in other innovations, including more effective obfuscation methods that make the code more difficult to analyze and a more convenient control panel, which is important for a virus sold by developers. Cybersecurity experts note that the innovative mechanism of LummaC2 4.0 makes it a little more difficult to study: you need a mouse emulator based on patterns characteristic of a live user or analysis of the tracking algorithm. Trigonometric analysis methods are of course an ingenious solution, but experts are certain that they are unlikely to be a decisive factor in the spread of the virus.