Latentbot - Avanceret Backdoor med snigende Capabilities - Hvordan, Teknologi og pc-sikkerhed Forum |

Latentbot – Avanceret Backdoor med snigende Capabilities

1 Star2 Stars3 Stars4 Stars5 Stars (Ingen stemmer endnu)
Loading ...

ondsindede-trussel-sensorstechforumSikkerhedseksperter vil helt sikkert snuble på flere og flere bagdøre og botnets, som vi er vidne til en øget infektion på ransomware og Apts (avancerede vedholdende trusler).

Interessant nok, newly detected backdoors and botnets may not be new at all. Hvorfor? Such threats can go undetected for months and even years. If a threat is discovered in 2015, it doesn’t necessarily mean that the threat was recently created.

Improve Your Cyber Security Education:
APT Backdoors Controlled by a Strong Group
Nemesis Bootkit Harvests Financial Data
Why You Should Fear Ponmocop Botnet

One of the latest uncovered backdoors has proven to be quite stealthy. Dubbed Latentbot, the persistent threat has been around at least since 2013. Researchers at FireEye recently revealed that Latentbot has been affecting victims in the United States, Storbritannien, Canada, Brasilien, Peru, Polen, Singapore, Syd Korea, De Forenede Arabiske Emirater.
Its victims are primarily in the financial and insurance sectors. Men, other sectors have been compromised as well.

Latentbot Backdoor Capabilities

The distribution techniques employed by the malware dropper may not be innovative but the payload of the attack (Latentbot) has definitely caught researchers’ attention. Not only does it implement several layers of obfuscation but it also has a unique exfiltration mechanism.

These are the capabilities of Latentbot, summarized by the FireEye research team:

1. Multiple layers of obfuscation
2. Decrypted strings in memory are removed after being used
3. Hiding applications in a different desktop
4. MBR wiping ability
5. Ransomlock similarities such as being able to lock the desktop
6. Hidden VNC Connection
7. Modular design, allowing easy updates on victim machines
8. Stealth: Callback Traffic, API'er, Registry keys and any other indicators are decrypted dynamically
9. Drops Pony malware as a module to act as infostealer

Latentbot Payload, Purpose of Attacks

Besides being stealthy, Latentbot is designed to keep its malicious code in the memory of the machine for as long as it is needed. Derefter, the code will be deleted. Som forskerne påpeger, most of the encoded data is located either in the program resources or in the registry. Også, a specific, custom made encryption algorithm is shared across the various components. The command and control communications are also encrypted. På grund af det, Latentbot’s family binaries are detected with a generic name, f.eks. Trojan.Generic.

Here is a list of some of its detections by AV vendors:

  • Trojan.Win32.Generic!BT
  • Trojan.GenericKD.2778570
  • Trojan.Generic.D2A65CA
  • Trojan.Generic.D2A65CA
  • UnclassifiedMalware
  • Trojan.MSIL.Crypt
  • Backdoor/Androm.tzz

Latentbot’s Infection Process

The attack is triggered by opening a spam email containing malicious attachments. Once such an attachment is executed, the computer will be infected with a malware downloader that will drop the LuminosityLink RAT (Remote Access Trojan). Once the RAT determines if the particular machine meets the requirements (f.eks. if PC is on Windows Vista, det vil ikke blive angrebet), the payload of the operation a.k.a. Latentbot is dropped. Som en helhed, the installation process of Latentbot is sophisticated, going through six different stages. The main purpose is to conceal its activities and bypass reverse engineering.

Does Latentbot perform targeted attacks?
Ifølge forskere, the stealthy backdoor is not targeted, at least not in the industries it has affected. Men, it is selective when it comes to the types of Windows system to attack. Latentbot won’t run on Windows Vista or Server 2008, and it uses compromised websites for its command and control infrastructure. Således, the infection process becomes easier, and the detection more difficult.

Latentbot for a Reason

Latentbot is indeed latent – it has been designed for silent malicious activities. Its several layers of obfuscation and the fact that it can remove the data from the computer’s memory once it is not needed make it quite dangerous and stealthy. Endvidere, Latentbot can also act as a ransomware by locking the victim’s desktop and dropping the Pony malware on the victim’s MBR (Master Boot Record).

To make Latentbot even more fearful, it was designed via a modular infrastructure making it capable to upgrade itself with new features when such are needed.

Afslutningsvis, FireEye researchers say that Latentbot is ‘noisy enough’ to be detected in memory with the help of an advanced solution.


Værktøj til fjernelse af malware

Spy Hunter scanner kun detektere trussel. Hvis du ønsker, at truslen skal fjernes automatisk, du nødt til at købe den fulde version af anti-malware værktøj.Læs mere om SpyHunter Anti-Malware værktøj / Sådan fjernes SpyHunter


Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...