Canadian firms among targets of new malware, says FireEye

Canadian enterprises are among the victims in nine countries that have been hit in the past two years by a new highly obfuscated bot, according to researchers at netwokr security vendor FireEye.

The company said it has dubbed the malware Latenbot, presumably because it leaves hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless. It implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations — many in the financial sector — here and in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Peru and Poland.

“Stealth being one of its traits, Latentbot will only keep malicious code in memory for the short time that is needed,” says FireEye. “Most of the encoded data is found either in the program resources or in the registry. A custom encryption algorithm is shared across the different components, including in encrypting its command and control communications. Due to this, its family binaries are detected [by security soruces such as VirusTotal] with a generic name such as Trojan.Generic.

It is selective in the types of Windows systems it will infect: It won’t run in Windows Vista or WinServer 2008. The malware also uses compromised websites as CnC infrastructure, making infection easier and detection harder.

Characteristics include

a)    Multiple layers of obfuscation
b)    Decrypted strings in memory are removed after being used
c)    Hiding applications in a different desktop
d)    MBR wiping ability
e)    Ransomlock similarities such as being able to lock the desktop
f)    Hidden VNC Connection
g)    Modular design, allowing easy updates on victim machines
h)    Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically
i)    Drops Pony malware as a module to act as infostealer

Typically it is spread through malicious emails containing an attachment with an old Word exploit. When the document is opened, an embedded malicious executable runs that alerts a server for campaign tracking and downloaded the LuminosityLink remote access Trojan as the second stage binary. LuminosityLink can steal passwords, record keystrokes, transfer files and activate attached microphones or webcams.

But it also downloads Latenbot, a .NET binary from a secondary CnC server, which in turn includes contains a fourth stage payload — also an obfuscated .NET binary. This piece will open the .NET programs RegAsm.exe and CvTres.exe from %windir%\Microsoft .Net\Framework\v2.050727\ and use process hollowing to replace them with malicious code in memory. It goes on from there to execute several other processes.

Ultimately it loads  load BOT_ENGINE, which is the main module.  A Delphi program, it extracts data from resources and verifies their signature using a public key embedded in the malware.

Although Latenbot is highly obfuscated, due to the multiple process injections performed, it is noisy enough to be easily detected in memory with a proper behavior-based solution, says FireEye. Outbound callback tracking and blocking is also mandatory in cases when the malware was able to bypass the security controls in place.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now