Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malware Abuses Windows Troubleshooting Platform for Distribution

A highly obfuscated malicious backdoor that has been infecting organizations worldwide since 2013 was recently observed abusing the Windows Troubleshooting Platform (WTP) feature for distribution, Proofpoint researchers warn.

A highly obfuscated malicious backdoor that has been infecting organizations worldwide since 2013 was recently observed abusing the Windows Troubleshooting Platform (WTP) feature for distribution, Proofpoint researchers warn.

Dubbed “LatentBot“, the threat was discovered late last year and is a modular bot. The malware allows attackers to perform surveillance, steal information, and gain remote access operations. What’s more, the malware remained largely undetected for roughly two years before FireEye caught a glimpse of it. Last year, the malware successfully compromised companies in the U.S., U.K., South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland.

In a recent campaign, the malware was observed abusing WTP to trick victims into executing the malicious payload, which was being distributed via email attachments. Because the execution of WTP isn’t accompanied by a security warning and users would run the troubleshooter when it appears in Windows, the attack becomes highly effective, Proofpoint researchers say.

In this campaign, email attachments were used to deliver a lure document, but Proofpoint argues that the same technique could be used with other delivery methods as well. As soon as the malicious document is opened, the victim is asked to “double-click to auto detect charset” and if they comply an embedded OLE object is launched.

Not only is the object a digitally signed DIAGCAB file (the Windows extension for a Troubleshooting pack), but it also presents to the victim another convincingly realistic window. This is a lure to trick the user into executing scripts associated with the troubleshooting package, namely a PowerShell command to download and launch the malicious payload.

The security researchers explain that the attackers using such troubleshooting packages can customize the dialog’s appearance, actions, and scripts that it runs, via XML formatting. Because the malicious activity is performed outside the binary loading the .diagcab file, the malware execution method is highly effective at bypassing detection by many existing sandbox products.

“This continues the trend of malware authors seeking new sandbox evasion methods via COM-based non-standard execution flow; previous examples of these methods are WMI, Office Interoperability, Background Intelligent Transfer Service, and the Task Scheduler. In this instance, via the creation of an IScriptedDiagnosticHost COM object in msdt.exe, the DcomLaunch service starts the Scripted Diagnostics Host (sdiagnhost.exe) which will launch command shell and PowerShell commands,” Proofpoint researchers note.

The LatentBot malware dropped as part of this campaign was observed loading a series of bot plugins for exfiltration and remote access, including Bot_Engine, remote_desktop_service, send_report, security, and vnc_hide_desktop.

Attackers have been seen before abusing built-in Microsoft Windows features for a seamless and low-resistance infection process, and the use of WTP for nefarious purposes is a clear example of how they are looking for new ways to achieve that. The natural “Windows” experience offered in this campaign was bound to fool even experienced users, not to mention that the unusual execution chain would bypass sandbox detection, researchers explain.

Last week, FireEye revealed that attackers have found new means to abuse Windows Management Instrumentation (WMI) queries to evade detection. WMI and PowerShell were seen being leveraged in various attacks by advanced persistent threat (APT) groups, and researchers have found new examples of how WMI queries can be leveraged for nefarious purposes.


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.