Proofpoint researchers issued a warning that a highly obfuscated malicious backdoor, which was compromising companies since 2013, has been recently caught using the Windows Troubleshooting Platform (WTP) feature for its distribution strategy.
The malware, which was uncovered last year, is called LatentBot and it is a modular bod. Using it, the crooks would be able to steal information, gain remote access, and perform surveillance. Moreover, the threat managed to infect organizations and stay under the radar for about two years before finally being detected by FireEye. In the past year, the backdoor succeeded in compromising companies all over the world, including in the U.S., the U.K., Brazil, Poland, Peru, South Korea, Singapore, Canada, and the United Arab Emirates.
In its latest campaign, researchers found out that LatentBot is abusing WTP to fool victims into executing its malicious payload, which was previously delivered via email attachments. Proofpoint experts say that this distribution strategy is quite the success as the execution of WTP doesn’t come together with a security warning and users would run the troubleshooter when it appears in Windows.
Email attachments were used to deliver a lure document, but Proofpoint argues that there is a chance the same technique is used with other spreading methods as well. When the malicious doc is opened, the user is asked to “double-click to auto detect charset” and if they do, an embedded OLE object is launched.
The object is not only a digitally signed DIAGCAB file (the Windows extension for a Troubleshooting pack), but is also show the victim one more convincingly realistic window. This is an attempt to mislead the user to execute scripts associated with the troubleshooting package, namely a PowerShell command to download and launch the malicious payload.
According to security researchers, the crooks, who abuse such troubleshooting packages, are able to customize the actions, the dialog`s appearance, and the scripts that it runs, using XML formatting. The malware execution is extremely effective at dodging sandbox detection thanks to the fact that the malicious activity is performed outside the binary loading the “.diagcab” file.
“This continues the trend of malware authors seeking new sandbox evasion methods via COM-based non-standard execution flow; previous examples of these methods are WMI, Office Interoperability, Background Intelligent Transfer Service, and the Task Scheduler. In this instance, via the creation of an IScriptedDiagnosticHost COM object in msdt.exe, the DcomLaunch service starts the Scripted Diagnostics Host (sdiagnhost.exe) which will launch command shell and PowerShell commands.” – Proofpoint researchers note.
Also, the malware, delivered in this campaign was observed loading a series of bot plugins for exfiltration and remote access, including remote_desktop_service, Bot_Engine, vnc_hide_desktop, security, and send_report.
This is not the first time a build-it Microsoft Windows is abused for such malicious purposes and this latest campaign is clearly showing that the crooks are constantly coming up with new ideas. Last week, the FireEye team revealed that cybercriminals have found another way to abuse Windows Management Instrumentation (WMI) queries to evade detection. Moreover, the crooks make sure that the ideas they come up with are cleverly done. This LatentBot campaign, for example, aside from being able to bypass sandbox detection, it was also professionally created to fool even experienced users.
