LatentBot malware opens a backdoor on the finance industry

David bisson
David Bisson

Hard to touchSecurity researchers have uncovered the LatentBot malware, a sophisticated and unusual attack that is using multiple levels of obfuscation to target companies in the financial and insurance industries around the world.

In a report published on FireEye’s blog, analysts Taha Karim and Daniel Regalado explain that the malware has been involved in multiple campaigns against enterprises located in the United States, the UK, Brazil, South Korea, Canada, and elsewhere.

“Although the infection strategy is not new, the final payload dropped – which we named LatentBot – caught our attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.”

LatentBot is dropped as the third-stage binary in an infection process that begins with a Microsoft Word exploit. Attackers create the malicious Word document using Microsoft Word Intruder (MWI); once the document is opened, a malicious executable runs and downloads the LuminosityLink Remote Access Trojan (RAT) as the second-stage binary.

Sign up to our free newsletter.
Security news, advice, and tips.

Latentbot infection phase

This is where it gets interesting.

As noted by The Register, the LuminosityLink RAT has all the capabilities needed for an attacker to assume remote control of a victim’s machine.

The entire infection process could end here and be a lot less interesting. But it doesn’t. Instead, the LuminosityLink RAT contacts a secondary command-and-control (C&C) server and loads up the LatentBot malware.

Mind-bendingly, the infection process runs up through an additional three binaries after LatentBot, the first of which is dropped by the malware. Even so, LatentBot is the final payload dropped in the campaigns observed by FireEye’s researchers.

After being dropped on a machine, LatentBot first checks to see if any of its plugins are installed. If not, it will begin to download them via a convoluted process that, among other things, involves a three-step algorithm by which the URI is encoded.

All the while, it keeps the exact nature of its activities under tight wraps, as Regaldo explained to Dark Reading:

“LatentBot won’t expose its internal workings [easily] due to its multiple layers of obfuscation and multiple injections into processes in memory. So, basically, an analyst must fully trace LatentBot in memory and have a proper response from the [C&C server] in order to understand how it works.”

Regalado goes on to note, however, that additional features, such as its removal of decrypted strings from memory after use and the dynamic decryption of APIs and callback traffic, make the malware even more difficult to spot.

It also can wipe the master boot record (MBR), thereby removing all traces of its existence from an infected machine.

Ultimately, if the download session is successful, the malware can be ordered to load up a number of different plugins, including Pony Stealer, another form of malware that is known (among other things) for targeting Bitcoin accounts. It can also mimic ransomware to the extent that it can lock up a user’s desktop.

Command Action
killosanduninstalls MBR Wiper, Deletes all instances of the malware from a Registry and File System and finally forces a reboot
ClearTemp Delete all files from temp directory
newvn Injects a VNC procvess inside svchost
EXW_REBOOT Reboot the machine
EXW_LOGOFF Logoff current user
EXW_SHUTDOWN Shutdown victim’s machine
Disablerds (Remote Data Service) Sets RDS registry key 000 to 0x42
getinstallpluginlist Get the plugin list from the Registry and send it to C2
uninstallbot Remlove any presence from Registry, File System and Memory
startkey Start keylogger
stopkeylog Delete keylogger from the system
sendkey Send keylog data to the C2
clearkeylog Delete keylog file from the system
findgold Search for Bitcoin-related data in the system
Explorer_restart Restart Explorer process
Locked Disable mouse events
Unlocked Re-enable mouse events
sendCtrlAltDel Sends Ctrl+Alt+delete combination to the victim’s system

LatentBot is clearly packing heat. But as luck would have it, it might be its very sophistication that might prove to be its downfall says the FireEye report:

“Although LatentBot is highly obfuscated, due to the multiple process injections performed, it is noisy enough to be easily detected in memory with a proper behavior-based solution.”

Indeed, over 80% of anti-virus solutions are now identifying LatentBot at the time of writing. With that in mind, an updated anti-virus could go a long way in protecting users against this persistent malware.

Users are, of course, reminded that the infection process begins with a boobytrapped Word document being opened. Always be suspicious of opening unsolicited attachments

More technical information about the malware can be found in FireEye’s report.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.