Security experts will definitely stumble upon more and more backdoors and botnets, as we are witnessing an increased infection rate of ransomware and APTs (advanced persistent threats).
Interestingly enough, newly detected backdoors and botnets may not be new at all. Why? Such threats can go undetected for months and even years. If a threat is discovered in 2015, it doesn’t necessarily mean that the threat was recently created.
Improve Your Cyber Security Education:
APT Backdoors Controlled by a Strong Group
Nemesis Bootkit Harvests Financial Data
Why You Should Fear Ponmocop Botnet
One of the latest uncovered backdoors has proven to be quite stealthy. Dubbed Latentbot, the persistent threat has been around at least since 2013. Researchers at FireEye recently revealed that Latentbot has been affecting victims in the United States, United Kingdom, Canada, Brazil, Peru, Poland, Singapore, South Korea, United Arab Emirates.
Its victims are primarily in the financial and insurance sectors. However, other sectors have been compromised as well.
Latentbot Backdoor Capabilities
The distribution techniques employed by the malware dropper may not be innovative but the payload of the attack (Latentbot) has definitely caught researchers’ attention. Not only does it implement several layers of obfuscation but it also has a unique exfiltration mechanism.
These are the capabilities of Latentbot, summarized by the FireEye research team:
1. Multiple layers of obfuscation
2. Decrypted strings in memory are removed after being used
3. Hiding applications in a different desktop
4. MBR wiping ability
5. Ransomlock similarities such as being able to lock the desktop
6. Hidden VNC Connection
7. Modular design, allowing easy updates on victim machines
8. Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically
9. Drops Pony malware as a module to act as infostealer
Latentbot Payload, Purpose of Attacks
Besides being stealthy, Latentbot is designed to keep its malicious code in the memory of the machine for as long as it is needed. Then, the code will be deleted. As researchers point out, most of the encoded data is located either in the program resources or in the registry. Also, a specific, custom made encryption algorithm is shared across the various components. The command and control communications are also encrypted. Because of this, Latentbot’s family binaries are detected with a generic name, e.g. Trojan.Generic.
Here is a list of some of its detections by AV vendors:
- Trojan.Win32.Generic!BT
- Trojan.GenericKD.2778570
- Trojan.Generic.D2A65CA
- Trojan.Generic.D2A65CA
- UnclassifiedMalware
- Trojan.MSIL.Crypt
- Backdoor/Androm.tzz
Latentbot’s Infection Process
The attack is triggered by opening a spam email containing malicious attachments. Once such an attachment is executed, the computer will be infected with a malware downloader that will drop the LuminosityLink RAT (Remote Access Trojan). Once the RAT determines if the particular machine meets the requirements (e.g. if PC is on Windows Vista, it won’t be attacked), the payload of the operation a.k.a. Latentbot is dropped. As a whole, the installation process of Latentbot is sophisticated, going through six different stages. The main purpose is to conceal its activities and bypass reverse engineering.
Does Latentbot perform targeted attacks?
According to researchers, the stealthy backdoor is not targeted, at least not in the industries it has affected. However, it is selective when it comes to the types of Windows system to attack. Latentbot won’t run on Windows Vista or Server 2008, and it uses compromised websites for its command and control infrastructure. Thus, the infection process becomes easier, and the detection more difficult.
Latentbot for a Reason
Latentbot is indeed latent – it has been designed for silent malicious activities. Its several layers of obfuscation and the fact that it can remove the data from the computer’s memory once it is not needed make it quite dangerous and stealthy. Furthermore, Latentbot can also act as a ransomware by locking the victim’s desktop and dropping the Pony malware on the victim’s MBR (Master Boot Record).
To make Latentbot even more fearful, it was designed via a modular infrastructure making it capable to upgrade itself with new features when such are needed.
In conclusion, FireEye researchers say that Latentbot is ‘noisy enough’ to be detected in memory with the help of an advanced solution.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter