Image from  Shutterstock.com (c) Maksim Kabakou
Image from Shutterstock.com (c) Maksim Kabakou

Canadian enterprises are among the victims in nine countries that have been hit in the past two years by a new highly obfuscated bot, according to researchers at netwokr security vendor FireEye.

The company said it has dubbed the malware Latenbot, presumably because it leaves hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless. It implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations — many in the financial sector — here and in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Peru and Poland.

“Stealth being one of its traits, Latentbot will only keep malicious code in memory for the short time that is needed,” says FireEye. “Most of the encoded data is found either in the program resources or in the registry. A custom encryption algorithm is shared across the different components, including in encrypting its command and control communications. Due to this, its family binaries are detected [by security soruces such as VirusTotal] with a generic name such as Trojan.Generic.

It is selective in the types of Windows systems it will infect: It won’t run in Windows Vista or WinServer 2008. The malware also uses compromised websites as CnC infrastructure, making infection easier and detection harder.

Characteristics include

a)    Multiple layers of obfuscation
b)    Decrypted strings in memory are removed after being used
c)    Hiding applications in a different desktop
d)    MBR wiping ability
e)    Ransomlock similarities such as being able to lock the desktop
f)    Hidden VNC Connection
g)    Modular design, allowing easy updates on victim machines
h)    Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically
i)    Drops Pony malware as a module to act as infostealer

Typically it is spread through malicious emails containing an attachment with an old Word exploit. When the document is opened, an embedded malicious executable runs that alerts a server for campaign tracking and downloaded the LuminosityLink remote access Trojan as the second stage binary. LuminosityLink can steal passwords, record keystrokes, transfer files and activate attached microphones or webcams.

But it also downloads Latenbot, a .NET binary from a secondary CnC server, which in turn includes contains a fourth stage payload — also an obfuscated .NET binary. This piece will open the .NET programs RegAsm.exe and CvTres.exe from %windir%\Microsoft .Net\Framework\v2.050727\ and use process hollowing to replace them with malicious code in memory. It goes on from there to execute several other processes.

Ultimately it loads  load BOT_ENGINE, which is the main module.  A Delphi program, it extracts data from resources and verifies their signature using a public key embedded in the malware.

Although Latenbot is highly obfuscated, due to the multiple process injections performed, it is noisy enough to be easily detected in memory with a proper behavior-based solution, says FireEye. Outbound callback tracking and blocking is also mandatory in cases when the malware was able to bypass the security controls in place.