LatentBot malware has been considered as an unusual attack which uses multiple levels of obfuscation to target companies in the financial and insurance industries all around the world.
According to a report by the analysts Taha Karim and Daniel Regalado, this malware has been involved in multiple campaigns against enterprises located in the United States, the UK, Brazil, South Korea, Canada, etc. The analysts claims state:
“Although the infection strategy is not new, the final payload dropped – which we named LatentBot – caught our attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.”
LatentBot has been placed as the third-stage binary in an infection process which begins with a Microsoft Word exploit. The malicious Word document is created by using Microsoft Word Intruder (MWI), and oas soon as the document is opened, a malicious executable runs and downloads the LuminosityLink Remote Access Trojan (RAT) as the second-stage binary.
According to The Register, the LuminosityLink RAT has all the capabilities which an attacker needs to assume remote control of a virtual machine. However, the infection process does not end there. After assuming the remote control of the computer, the LuminosityLink RAT contacts a secondary command-and-control (C&C) server and loads up the LatentBot malware.
The infection process runs up through an additional three binaries after LatentBot, the first of which is dropped by the malware. Yet, LatentBot is the final payload dropped in the campaigns observed by FireEye’s researchers.
Once landed on the PC, LatentBot first checks to see if any of its plugins are installed. If not, it starts downloading them via a convoluted process which involves a three-step algorithm by which the URI is encoded. During the whole process, it keeps the exact nature of its activities under tight wraps. According to Regaldo:
“LatentBot won’t expose its internal workings [easily] due to its multiple layers of obfuscation and multiple injections into processes in memory. So, basically, an analyst must fully trace LatentBot in memory and have a proper response from the [C&C server] in order to understand how it works.”
Nevertheless, Regalado notes that additional features, such as its removal of decrypted strings from memory after use and the dynamic decryption of APIs and callback traffic, make the malware even more difficult to spot. Besides, it can wipe the master boot record (MBR), thereby removing all traces of its existence from an infected machine.
In any case, if the download session is successful, the malware can be ordered to load up a number of different plugins, including Pony Stealer, another form of malware that is known for targeting Bitcoin accounts and can lock up users’ desktops.