Backdoor Hits WTP

Wednesday, October 12, 2016 @ 10:10 AM gHale

A backdoor that has been infecting organizations on a global basis for three years is now going after the Windows Troubleshooting Platform (WTP), researchers said.

“LatentBot,” ended up detected last year, said researchers at Proofpoint.

New Backdoor Trojan
Switch in Malware Distribution
Linux DDoS Trojan Found
New Linux Trojan

The malware allows attackers to perform surveillance, steal information, and gain remote access operations, Proofpoint researchers said.

Of late, LatentBot was going after WTP to trick victims into executing the malicious payload, which was going out via email attachments. Because the execution of WTP isn’t accompanied by a security warning and users would run the troubleshooter when it appears in Windows, the attack becomes highly effective, Proofpoint researchers said in a blog post.

Email attachments ended up used to deliver a document. As soon as the victim opens malicious document, the victim ends up asked to “double-click to auto detect charset” and if they comply an embedded OLE object launches.

Not only is the object a digitally signed DIAGCAB file (the Windows extension for a Troubleshooting pack), but it also presents to the victim another realistic window. This tricks the user into executing scripts associated with the troubleshooting package, namely a PowerShell command to download and launch the malicious payload.

Researchers said the attackers using troubleshooting packages can customize the dialog’s appearance, actions, and scripts that it runs, via XML formatting. Because the malicious activity ends up performed outside the binary loading the .diagcab file, the malware execution method is highly effective at bypassing detection.

“Attackers continue to find new ways to take advantage of built-in Microsoft Windows features in order to provide a seamless and low-resistance process for their victims to execute the intended payloads. In this case the attackers provide a very natural ‘Windows’ experience that could fool even experienced users,” Proofpoint researchers said. “In addition, this technique provides an unusual execution chain which bypasses observation by many sandbox products, making detection considerably more difficult.”