Latentbot Is the Next Step in Evolution for Stealthy Backdoors

[JerkyMcDilerino]

Source #1: http://news.softpedia.com/news/latentbot-is-the-next-step-in-evolution-for-stealthy-backdoors-497516.shtml

 

Source #2: https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html

 

 

Backdoor bot manages to remain hidden for two years

A stealthy new backdoor was detected by FireEye's Dynamic Threat Intelligence(DTI) team, one that takes great care to hide its tracks and stay hidden on infected system, like no other malware before it.

 

Codenamed LATENTBOT, security researchers are reporting that this particular piece of malware has infected computers in countries such as the United States, United Kingdom, South Korea, Singapore, Canada, Peru, Poland, Brazil, and the United Arab Emirates.

 

There's no specific aim for these campaigns, and LATENTBOT has been active on computers from different industry sectors.

 

 

A complex installation process

Most of the times, users get contaminated with LATENTBOT via email spam. Weaponized attachments infect the user's computer with a malware downloader, which then moves to secretly install the LuminosityLink RAT (Remote Access Trojan) on compromised PCs.

If certain conditions are met, a C&C server tells the RAT to install LATENTBOT. Unlike previous backdoor bots, this particular threat doesn't run on all systems and seems to stay away from older Windows versions (like Windows Vista or Windows Server 2008).

The LATENTBOT installation process is quite complex and designed for obscurity, going through six different stages, mainly to hide its true actions from reverse engineering.

Designed for silence, capable of complete destruction

This special care for obscurity is also present in the bot's internal makeup and behavior that uses multiple layers of code obfuscation, removes data from the PC's memory as soon as it's not needed anymore, and hides applications in a different desktop.

Additionally, LATENTBOT was created using a modular infrastructure, meaning it can upgrade itself with new features. Some of these include the ability to work as ransomware by locking the user's desktop, by dropping the Pony malware on the victim's PC to steal password information, and even by wiping the victim's MBR (Master Boot Record), effectively ruining the computer's hard drive.

First signs of cyber-attacks using LATENTBOT were spotted in mid-2013. "It has managed to leave hardly any traces on the Internet," say FireEye researchers.

But there is good news. Despite LATENTBOT's special care for obfuscation and stealthiness, current antiviruses have caught up with it, and over half of the scanning engines available in VirusTotal are detecting it. They're labeling it as a generic trojan, and not a specific malware family, but at least they're detecting it.

"Although LATENTBOT is highly obfuscated, due to the multiple process injections performed, it is noisy enough to be easily detected in memory with a proper behavior-based solution," FireEye researchers conclude.

 

 

Some of the main features of LATENTBOT are listed below:

a)    Multiple layers of obfuscation
B)    Decrypted strings in memory are removed after being used
c)    Hiding applications in a different desktop
d)    MBR wiping ability
e)    Ransomlock similarities such as being able to lock the desktop
f)    Hidden VNC Connection
g)    Modular design, allowing easy updates on victim machines
h)    Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically
i)    Drops Pony malware as a module to act as infostealer

 

Virustotal scans result. Detection ratio is 38/54.

 

Virustotal link: https://www.virustotal.com/en/file/39af310076282129e6a38ec5bf784ff9305b5a1787446f01c06992b359a19c05/analysis/

[vanished]

Hm, stealthily getting into everywhere with no clear purpose as of yet... another stuxnet?

[LeapFrogMasterRace]

my gf never lets me use the back door anyway

[vanished]

Wait, I noticed this from that link:

 

 

 

If LATENTBOT is running on a laptop, it will query the battery status via GetSystemPowerStatus and if the battery is running Low or Critical, it will call SetThreadExecutionState try to prevent the system from sleeping or turning the display off.

 

Why go to all that trouble to make it stealthy and then do something like this that should be a dead giveaway something is up?