In a report published on FireEye’s blog, analysts Taha Karim and Daniel Regalado explain that the malware has been involved in multiple campaigns against enterprises located in the United States, the UK, Brazil, South Korea, Canada, and elsewhere.
“Although the infection strategy is not new, the final payload dropped – which we named LatentBot – caught our attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.”
LatentBot is dropped as the third-stage binary in an infection process that begins with a Microsoft Word exploit. Attackers create the malicious Word document using Microsoft Word Intruder (MWI); once the document is opened, a malicious executable runs and downloads the LuminosityLink Remote Access Trojan (RAT) as the second-stage binary.
This is where it gets interesting.
The entire infection process could end here and be a lot less interesting. But it doesn’t. Instead, the LuminosityLink RAT contacts a secondary command-and-control (C&C) server and loads up the LatentBot malware.
Mind-bendingly, the infection process runs up through an additional three binaries after LatentBot, the first of which is dropped by the malware. Even so, LatentBot is the final payload dropped in the campaigns observed by FireEye’s researchers.
After being dropped on a machine, LatentBot first checks to see if any of its plugins are installed. If not, it will begin to download them via a convoluted process that, among other things, involves a three-step algorithm by which the URI is encoded.
All the while, it keeps the exact nature of its activities under tight wraps, as Regaldo explained to Dark Reading:
“LatentBot won’t expose its internal workings [easily] due to its multiple layers of obfuscation and multiple injections into processes in memory. So, basically, an analyst must fully trace LatentBot in memory and have a proper response from the [C&C server] in order to understand how it works.”
Regalado goes on to note, however, that additional features, such as its removal of decrypted strings from memory after use and the dynamic decryption of APIs and callback traffic, make the malware even more difficult to spot.
It also can wipe the master boot record (MBR), thereby removing all traces of its existence from an infected machine.
Ultimately, if the download session is successful, the malware can be ordered to load up a number of different plugins, including Pony Stealer, another form of malware that is known (among other things) for targeting Bitcoin accounts. It can also mimic ransomware to the extent that it can lock up a user’s desktop.
|killosanduninstalls||MBR Wiper, Deletes all instances of the malware from a Registry and File System and finally forces a reboot|
|ClearTemp||Delete all files from temp directory|
|newvn||Injects a VNC procvess inside svchost|
|EXW_REBOOT||Reboot the machine|
|EXW_LOGOFF||Logoff current user|
|EXW_SHUTDOWN||Shutdown victim’s machine|
|Disablerds (Remote Data Service)||Sets RDS registry key 000 to 0x42|
|getinstallpluginlist||Get the plugin list from the Registry and send it to C2|
|uninstallbot||Remlove any presence from Registry, File System and Memory|
|stopkeylog||Delete keylogger from the system|
|sendkey||Send keylog data to the C2|
|clearkeylog||Delete keylog file from the system|
|findgold||Search for Bitcoin-related data in the system|
|Explorer_restart||Restart Explorer process|
|Locked||Disable mouse events|
|Unlocked||Re-enable mouse events|
|sendCtrlAltDel||Sends Ctrl+Alt+delete combination to the victim’s system|
LatentBot is clearly packing heat. But as luck would have it, it might be its very sophistication that might prove to be its downfall says the FireEye report:
“Although LatentBot is highly obfuscated, due to the multiple process injections performed, it is noisy enough to be easily detected in memory with a proper behavior-based solution.”
Indeed, over 80% of anti-virus solutions are now identifying LatentBot at the time of writing. With that in mind, an updated anti-virus could go a long way in protecting users against this persistent malware.
Users are, of course, reminded that the infection process begins with a boobytrapped Word document being opened. Always be suspicious of opening unsolicited attachments
More technical information about the malware can be found in FireEye’s report.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.