Backdoor Undetected, Until Now
Monday, December 14, 2015 @ 04:12 PM gHale
A quiet, but successful backdoor infiltrated companies around the world and remained largely undetected by anti-malware since 2013, researchers said.
The backdoor, called LATENTBOT by security firm FireEye, compromised companies in the U.S., UK, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland in 2015.
“Stealth being one of its traits, LATENTBOT will only keep malicious code in memory for the short time that is needed. Most of the encoded data is found either in the program resources or in the registry. A custom encryption algorithm is shared across the different components, including in encrypting its command and control (CnC) communications. Due to this, its family binaries are detected with a generic name such as Trojan.Generic:,” said FireEye researchers Taha Karim and Daniel Regalado in a blog post.
FireEye witnessed multiple campaigns targeting multiple industries, but primarily in the financial services and insurance sectors.
LATENTBOT has a 6-stage obfuscation process, and has the ability to scan for cryptocurrency wallets via Pony stealer 2.0 malware plugin.
LATENTBOT implements multiple layers of obfuscation, a unique exfiltration mechanism, FireEye said.
The bot has also infected multiple organizations.
Some of the main features of LATENTBOT:
1. Multiple layers of obfuscation
2. Decrypted strings in memory remove after use
3. Hiding applications in a different desktop
4. MBR wiping ability
5. Ransomlock similarities such as being able to lock the desktop
6. Hidden VNC Connection
7. Modular design, allowing easy updates on victim machines
8. Stealth: Callback Traffic, APIs, Registry keys and any other indicators end up decrypted dynamically
9. Drops Pony malware as a module to act as infostealer
LATENBOT is not at targeted attack, but it is selective in the versions of Windows systems it infects, FireEye researchers said. The threat won’t run in Windows Vista or Server 2008. Additionally, if the malware is running on a laptop, it will query the battery status via GetSystemPowerStatus and call SetThreadExecutionState try to prevent the system from sleeping or turning the display off if the battery is low.
Based on similar samples found in the wild and passive DNS information, FireEye said LATENTBOT came to life in mid-2013, and uses compromised web servers as C2 infrastructure.
The attackers behind the campaigns have been using malicious emails containing an old word exploit created with Microsoft Word Intruder (MWI), a well-known exploit kit. When the victim opens the malicious word document, embedded code executes and connects to a MWISTAT server, which allows operators to track attack campaigns, and a C2 server to get a second stage binary download, which turned out to be LuminosityLink, a RAT that has the ability to steal passwords, record keystrokes, transfer files and enable attached microphones or webcams.
“Since the running LuminosityLink is a RAT that offers multiple capabilities to fully control the infected box, it is surprising that another payload is being downloaded from a secondary C2 at emenike[.]no-ip.info (188.8.131.52),” FireEye said. That new module is LATENTBOT.