Malware Abuses Windows Troubleshooting Platform for Distribution

A highly obfuscated malicious backdoor that has been infecting organizations worldwide since 2013 was recently observed abusing the Windows Troubleshooting Platform (WTP) feature for distribution, Proofpoint researchers warn.

Dubbed “LatentBot“, the threat was discovered late last year and is a modular bot. The malware allows attackers to perform surveillance, steal information, and gain remote access operations. What’s more, the malware remained largely undetected for roughly two years before FireEye caught a glimpse of it. Last year, the malware successfully compromised companies in the U.S., U.K., South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland.

In a recent campaign, the malware was observed abusing WTP to trick victims into executing the malicious payload, which was being distributed via email attachments. Because the execution of WTP isn’t accompanied by a security warning and users would run the troubleshooter when it appears in Windows, the attack becomes highly effective, Proofpoint researchers say.

In this campaign, email attachments were used to deliver a lure document, but Proofpoint argues that the same technique could be used with other delivery methods as well. As soon as the malicious document is opened, the victim is asked to “double-click to auto detect charset” and if they comply an embedded OLE object is launched.

Not only is the object a digitally signed DIAGCAB file (the Windows extension for a Troubleshooting pack), but it also presents to the victim another convincingly realistic window. This is a lure to trick the user into executing scripts associated with the troubleshooting package, namely a PowerShell command to download and launch the malicious payload.

The security researchers explain that the attackers using such troubleshooting packages can customize the dialog’s appearance, actions, and scripts that it runs, via XML formatting. Because the malicious activity is performed outside the binary loading the .diagcab file, the malware execution method is highly effective at bypassing detection by many existing sandbox products.

“This continues the trend of malware authors seeking new sandbox evasion methods via COM-based non-standard execution flow; previous examples of these methods are WMI, Office Interoperability, Background Intelligent Transfer Service, and the Task Scheduler. In this instance, via the creation of an IScriptedDiagnosticHost COM object in msdt.exe, the DcomLaunch service starts the Scripted Diagnostics Host (sdiagnhost.exe) which will launch command shell and PowerShell commands,” Proofpoint researchers note.

The LatentBot malware dropped as part of this campaign was observed loading a series of bot plugins for exfiltration and remote access, including Bot_Engine, remote_desktop_service, send_report, security, and vnc_hide_desktop.

Attackers have been seen before abusing built-in Microsoft Windows features for a seamless and low-resistance infection process, and the use of WTP for nefarious purposes is a clear example of how they are looking for new ways to achieve that. The natural “Windows” experience offered in this campaign was bound to fool even experienced users, not to mention that the unusual execution chain would bypass sandbox detection, researchers explain.

Last week, FireEye revealed that attackers have found new means to abuse Windows Management Instrumentation (WMI) queries to evade detection. WMI and PowerShell were seen being leveraged in various attacks by advanced persistent threat (APT) groups, and researchers have found new examples of how WMI queries can be leveraged for nefarious purposes.