Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malware Abuses Windows Troubleshooting Platform for Distribution

A highly obfuscated malicious backdoor that has been infecting organizations worldwide since 2013 was recently observed abusing the Windows Troubleshooting Platform (WTP) feature for distribution, Proofpoint researchers warn.

A highly obfuscated malicious backdoor that has been infecting organizations worldwide since 2013 was recently observed abusing the Windows Troubleshooting Platform (WTP) feature for distribution, Proofpoint researchers warn.

Dubbed “LatentBot“, the threat was discovered late last year and is a modular bot. The malware allows attackers to perform surveillance, steal information, and gain remote access operations. What’s more, the malware remained largely undetected for roughly two years before FireEye caught a glimpse of it. Last year, the malware successfully compromised companies in the U.S., U.K., South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland.

In a recent campaign, the malware was observed abusing WTP to trick victims into executing the malicious payload, which was being distributed via email attachments. Because the execution of WTP isn’t accompanied by a security warning and users would run the troubleshooter when it appears in Windows, the attack becomes highly effective, Proofpoint researchers say.

In this campaign, email attachments were used to deliver a lure document, but Proofpoint argues that the same technique could be used with other delivery methods as well. As soon as the malicious document is opened, the victim is asked to “double-click to auto detect charset” and if they comply an embedded OLE object is launched.

Not only is the object a digitally signed DIAGCAB file (the Windows extension for a Troubleshooting pack), but it also presents to the victim another convincingly realistic window. This is a lure to trick the user into executing scripts associated with the troubleshooting package, namely a PowerShell command to download and launch the malicious payload.

The security researchers explain that the attackers using such troubleshooting packages can customize the dialog’s appearance, actions, and scripts that it runs, via XML formatting. Because the malicious activity is performed outside the binary loading the .diagcab file, the malware execution method is highly effective at bypassing detection by many existing sandbox products.

“This continues the trend of malware authors seeking new sandbox evasion methods via COM-based non-standard execution flow; previous examples of these methods are WMI, Office Interoperability, Background Intelligent Transfer Service, and the Task Scheduler. In this instance, via the creation of an IScriptedDiagnosticHost COM object in msdt.exe, the DcomLaunch service starts the Scripted Diagnostics Host (sdiagnhost.exe) which will launch command shell and PowerShell commands,” Proofpoint researchers note.

The LatentBot malware dropped as part of this campaign was observed loading a series of bot plugins for exfiltration and remote access, including Bot_Engine, remote_desktop_service, send_report, security, and vnc_hide_desktop.

Advertisement. Scroll to continue reading.

Attackers have been seen before abusing built-in Microsoft Windows features for a seamless and low-resistance infection process, and the use of WTP for nefarious purposes is a clear example of how they are looking for new ways to achieve that. The natural “Windows” experience offered in this campaign was bound to fool even experienced users, not to mention that the unusual execution chain would bypass sandbox detection, researchers explain.

Last week, FireEye revealed that attackers have found new means to abuse Windows Management Instrumentation (WMI) queries to evade detection. WMI and PowerShell were seen being leveraged in various attacks by advanced persistent threat (APT) groups, and researchers have found new examples of how WMI queries can be leveraged for nefarious purposes.

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.